BICTThttp://www.bictt.com/blogs/bictt.php
en-UShttp://blogs.law.harvard.edu/tech/rss60OMS - Antimalware Assessment examplehttp://www.bictt.com/blogs/bictt.php/2016/10/05/oms-antimalware-assessment-example
Wed, 05 Oct 2016 20:09:00 +0000Bob CornelissenSCOMOMS449@http://www.bictt.com/blogs/<p>As you may know I have been playing with OMS for a while, especially on the Log Analytics side and some security items. One of the solutions I added quickly was the Antimalware Assessment solution.</p>
<p>What the ANtimalware Assessment does is first of all check if you are protected at all. It will find some antivirus products and it will also see if a machine has nothing recognized outside of the last run of the Malicious Software Removal Tool which comes with Windows Updates every month. And for instance for System Center Endpoint Protection it can pick up on threats.</p>
<p>Today I had a chance to also see that part in action <img src="http://www.bictt.com/blogs/rsc/smilies/icon_twisted.gif" title="&amp;amp;#58;&amp;amp;#62;" alt="&amp;amp;#58;&amp;amp;#62;" class="middle" width="15" height="15" /></p>
<p>So I got the following email:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/OMS/OMSAMSolemail.PNG" alt="" title="" /></p>
<p>This does also name which machine is involved and such.</p>
<p>So I went to my OMS workspace and went into the Antimalware Assessment to find this:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/OMS/OMSAMSol1.PNG" alt="" title="" /></p>
<p>From here we can see which machine was affected and also that the threat has been quarantined already. The second blade tells me what item was found and at what time.</p>
<p>If you click on the threat or the machine you will get to see the log entries leading to this. It features things like which files in which path were found and quarantined.</p>
<p>SO let me have a look at the machine giving the alert and sure enough there it is:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/OMS/OMSAMSol3.PNG" alt="null" title="null" /></p>
<p>So this gave me a possibility to confirm this does not belong there and remove it permanently. And of course make sure to run a full scan just to be sure.</p>
<p>So there you have it. Immediate value add by the OMS solution on top of what you have already. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_cool.gif" title="&amp;amp;#66;&amp;amp;#41;" alt="&amp;amp;#66;&amp;amp;#41;" class="middle" width="15" height="15" /><img src="http://www.bictt.com/blogs/rsc/smilies/icon_idea.gif" title="&amp;amp;#58;&amp;amp;#105;&amp;amp;#100;&amp;amp;#101;&amp;amp;#97;&amp;amp;#58;" alt="&amp;amp;#58;&amp;amp;#105;&amp;amp;#100;&amp;amp;#101;&amp;amp;#97;&amp;amp;#58;" class="middle" width="15" height="15" /><img src="http://www.bictt.com/blogs/rsc/smilies/icon_biggrin.gif" title="&amp;amp;#58;&amp;amp;#68;" alt="&amp;amp;#58;&amp;amp;#68;" class="middle" width="15" height="15" /></p>
<p>Have fun and stay safe!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/10/05/oms-antimalware-assessment-example">Original post</a>.</small></p></div>As you may know I have been playing with OMS for a while, especially on the Log Analytics side and some security items. One of the solutions I added quickly was the Antimalware Assessment solution.

What the ANtimalware Assessment does is first of all check if you are protected at all. It will find some antivirus products and it will also see if a machine has nothing recognized outside of the last run of the Malicious Software Removal Tool which comes with Windows Updates every month. And for instance for System Center Endpoint Protection it can pick up on threats.

Today I had a chance to also see that part in action

So I got the following email:

This does also name which machine is involved and such.

So I went to my OMS workspace and went into the Antimalware Assessment to find this:

From here we can see which machine was affected and also that the threat has been quarantined already. The second blade tells me what item was found and at what time.

If you click on the threat or the machine you will get to see the log entries leading to this. It features things like which files in which path were found and quarantined.

SO let me have a look at the machine giving the alert and sure enough there it is:

So this gave me a possibility to confirm this does not belong there and remove it permanently. And of course make sure to run a full scan just to be sure.

So there you have it. Immediate value add by the OMS solution on top of what you have already.

]]>http://www.bictt.com/blogs/bictt.php/2016/10/05/oms-antimalware-assessment-example#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=449STOP 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA on a Windows 2008 serverhttp://www.bictt.com/blogs/bictt.php/2016/09/17/stop-0x00000050-page_fault_in_nonpaged_area-on-a
Sat, 17 Sep 2016 09:06:00 +0000Bob CornelissenWindows 2008Windows 2012448@http://www.bictt.com/blogs/<p>I was working with an old Windows 2008 R2 server last night. It needed a "few" updates!<br />
So I will first admit to several of my own mistakes. I did not give myself time to update this machine regularly enough in the past and of course we always have to install the Windows Updates on time. If you figure you wait for an extra month for any fixes introduced one month to be fixed the next its something we all understand. But this was many months worth of updates. I went the lazy way, which bit me as you will see below.</p>
<p>I was first interested on getting 1 specific update on the machine. So I selected that update and a random few other smaller updates. Now this is a mistake! It installed the updates and wanted a reboot. OK. Next thing which happens is that the machine starts up in an immediate Blue Screen with code <strong>STOP 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA</strong> or in short a code 0x50. There was no way around this into for instance safe mode or whatever. The only thing which popped up was the System Recovery Options shown below:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/w2k8repaircons.jpg" alt="" title="" /></p>
<p>By the way, before you get to this screen it asks you for the Local Administrator password. Turns out even I did not remember, but I got it in the end. Managing admin accounts, including local administrator accounts is important to do. Watch Paula JanuszKiewicz give you an example why it is important here at one of the <a href="http://cqureacademy.com/blog/identity-theft-protection/pass-hash-attack-tutorial">CQURE academy sessions about passing the hash</a>.</p>
<p>Felt a little panic coming up at that point, because data loss or at least a lot of time fixing things can follow this action. Did not look like I could do much from here either. I did have backups of the data, so in time I would have restored it.<br />
Another rerason for the panic is that I was doing two systems at the same time and in the same way.... and you guessed it... both with the same result!</p>
<p>A lot of googling open and there are a lot of videos explaining how to fix this FROM Windows! Problem is I am stuck in this System Recovery Options Screen. The memory check did not show anything by the way.</p>
<p>Well somewhere hidden in a comment of one of the threads (I can not find it!) was the suggestion that some previous hotfix might have hit one file and removing that file solved it for a few people.</p>
<p>In the picture above you can see a command prompt. Open that.<br />
Next you need to find out which drive letter contains your Windows Installation. The System Recovery just uses a drive letter for itself and throws the other drives into other drive letters. So I did a <strong>C:</strong> Enter. <strong>DIR</strong> and knew this was not the drive. So I went to <strong>D:</strong> and did <strong>DIR</strong> again. Nope.. Continued until I got it.</p>
<p><strong>CD Windows\system32<br />
Dir *cache*</strong></p>
<p>The file I am looking for is fntcache.dat</p>
<p>this is the font cache file. Do NOT touch the DLL file there. The DAT file is a cache and will be re-built by Windows after restart.</p>
<p><strong>del fntcache.dat</strong></p>
<p>Now I exited the command prompt and restarted the server. It started again into Windows where I hoped it would go.</p>
<p>Next I still needed to do a select-all on the rest of the updates and install them all the same <img src="http://www.bictt.com/blogs/rsc/smilies/icon_cool.gif" title="&amp;amp;#66;&amp;amp;#41;" alt="&amp;amp;#66;&amp;amp;#41;" class="middle" width="15" height="15" /><img src="http://www.bictt.com/blogs/rsc/smilies/icon_biggrin.gif" title="&amp;amp;#58;&amp;amp;#68;" alt="&amp;amp;#58;&amp;amp;#68;" class="middle" width="15" height="15" /></p>
<p>So keep in mind to update regularly + do not select half the updates but go for them all because there are fixes in there which fix issues created (or surfaced) by other fixes.</p>
<p>Now I can continue with actually replacing these servers, which was the plan to start with!</p>
<p>Good luck!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/09/17/stop-0x00000050-page_fault_in_nonpaged_area-on-a">Original post</a>.</small></p></div>I was working with an old Windows 2008 R2 server last night. It needed a "few" updates!
So I will first admit to several of my own mistakes. I did not give myself time to update this machine regularly enough in the past and of course we always have to install the Windows Updates on time. If you figure you wait for an extra month for any fixes introduced one month to be fixed the next its something we all understand. But this was many months worth of updates. I went the lazy way, which bit me as you will see below.

I was first interested on getting 1 specific update on the machine. So I selected that update and a random few other smaller updates. Now this is a mistake! It installed the updates and wanted a reboot. OK. Next thing which happens is that the machine starts up in an immediate Blue Screen with code STOP 0x00000050 PAGE_FAULT_IN_NONPAGED_AREA or in short a code 0x50. There was no way around this into for instance safe mode or whatever. The only thing which popped up was the System Recovery Options shown below:

By the way, before you get to this screen it asks you for the Local Administrator password. Turns out even I did not remember, but I got it in the end. Managing admin accounts, including local administrator accounts is important to do. Watch Paula JanuszKiewicz give you an example why it is important here at one of the CQURE academy sessions about passing the hash.

Felt a little panic coming up at that point, because data loss or at least a lot of time fixing things can follow this action. Did not look like I could do much from here either. I did have backups of the data, so in time I would have restored it.
Another rerason for the panic is that I was doing two systems at the same time and in the same way.... and you guessed it... both with the same result!

A lot of googling open and there are a lot of videos explaining how to fix this FROM Windows! Problem is I am stuck in this System Recovery Options Screen. The memory check did not show anything by the way.

Well somewhere hidden in a comment of one of the threads (I can not find it!) was the suggestion that some previous hotfix might have hit one file and removing that file solved it for a few people.

In the picture above you can see a command prompt. Open that.
Next you need to find out which drive letter contains your Windows Installation. The System Recovery just uses a drive letter for itself and throws the other drives into other drive letters. So I did a C: Enter. DIR and knew this was not the drive. So I went to D: and did DIR again. Nope.. Continued until I got it.

CD Windows\system32
Dir *cache*

The file I am looking for is fntcache.dat

this is the font cache file. Do NOT touch the DLL file there. The DAT file is a cache and will be re-built by Windows after restart.

del fntcache.dat

Now I exited the command prompt and restarted the server. It started again into Windows where I hoped it would go.

Next I still needed to do a select-all on the rest of the updates and install them all the same

So keep in mind to update regularly + do not select half the updates but go for them all because there are fixes in there which fix issues created (or surfaced) by other fixes.

Now I can continue with actually replacing these servers, which was the plan to start with!

]]>http://www.bictt.com/blogs/bictt.php/2016/09/17/stop-0x00000050-page_fault_in_nonpaged_area-on-a#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=448Error 500.19 after installing Savision LiveMaps Unity Portalhttp://www.bictt.com/blogs/bictt.php/2016/09/14/error-500-19-after-installing
Wed, 14 Sep 2016 10:18:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2012SCOM 2016447@http://www.bictt.com/blogs/<p>Today I was doing a quick installation of the Savision 8.2 Live Maps Unity Portal. Downloaded the self-extracting executable from the website and of course arranged a license key. While running the installer I selected the Express setup which just pushes the web portal onto the machine and not the other components available in the Advanced installation option. The installation ran in 2 minutes on a slow machine, and this is including the extracting of the files and running checks.</p>
<p>After installation the web page automaticaly opens up and I was greeted with the following error:</p>
<p>HTTP Error 500.19 - Internal Server Error<br />
Module: WindowsAuthenticationModule</p>
<p>In the error description there is talk of a configuration section being locked at parent level.</p>
<p>Screenshot of the error:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Savision/50019b.jpg" alt="" title="" /></p>
<p>What happened is that the configuration on the server level is that Windows Authentication is turned off and that this configuration is locked for the whole machine. So for the Live Maps Portal it is trying to read configuration from a configuration file relating to Authentication and because this configuration is locked at a higher level it throws an error.</p>
<p>How to fix it:</p>
<p>Open IIS Manager<br />
In the left menu select your server name<br />
In the middle of the screen select Configuration Editor</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Savision/50019c.jpg" alt="" title="" /></p>
<p>Near the top of the Configuration Editor is a selection box for which section you want to see and edit.<br />
Go to system.webServer/security/authentication/windowsAuthentication</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Savision/50019d.jpg" alt="" title="" /></p>
<p>In the right hand manu you will find a link to Unlock Section. Click it to unlock this configuration item.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Savision/50019e.jpg" alt="" title="" /></p>
<p>Now any lower level (Sites or Applications within a site) can have their own configuration for Windows Authentication.</p>
<p>Refresh the error page and the Live Maps Unity Portal came up fine!</p>
<p>Happy dashboarding!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/09/14/error-500-19-after-installing">Original post</a>.</small></p></div>Today I was doing a quick installation of the Savision 8.2 Live Maps Unity Portal. Downloaded the self-extracting executable from the website and of course arranged a license key. While running the installer I selected the Express setup which just pushes the web portal onto the machine and not the other components available in the Advanced installation option. The installation ran in 2 minutes on a slow machine, and this is including the extracting of the files and running checks.

After installation the web page automaticaly opens up and I was greeted with the following error:

In the error description there is talk of a configuration section being locked at parent level.

Screenshot of the error:

What happened is that the configuration on the server level is that Windows Authentication is turned off and that this configuration is locked for the whole machine. So for the Live Maps Portal it is trying to read configuration from a configuration file relating to Authentication and because this configuration is locked at a higher level it throws an error.

How to fix it:

Open IIS Manager
In the left menu select your server name
In the middle of the screen select Configuration Editor

Near the top of the Configuration Editor is a selection box for which section you want to see and edit.
Go to system.webServer/security/authentication/windowsAuthentication

In the right hand manu you will find a link to Unlock Section. Click it to unlock this configuration item.

Now any lower level (Sites or Applications within a site) can have their own configuration for Windows Authentication.

]]>http://www.bictt.com/blogs/bictt.php/2016/09/14/error-500-19-after-installing#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=447SCOM: DMZ or workgroup machines refusing to connect to SCOMhttp://www.bictt.com/blogs/bictt.php/2016/09/12/scom-dmz-or-workgroup-machines
Mon, 12 Sep 2016 10:01:00 +0000Bob CornelissenSCOMSCOM TricksSCOM 2012446@http://www.bictt.com/blogs/<p>Ran into a customer issue today whereby there was a nice clean SCOM 2012 R2 installation with UR's. Certificates arranged and momcertimport ran. On the agent machines in DMZ we had the agent installed, UR on it, certificate root imported, certificate meant for computer imported. momcertimport ran to get the correct certficate running. Yet no communication at all between agent and server. This is what I found:</p>
<p>So first checks are:</p>
<ol>
<li>does the agent machine have the certificate for the name of the server (which in workgroup can be the short name and in a dmz domain a fully qualified name)? <strong>Yes</strong></li>
<li>does the agent machine trust the CA which issued the certificate? (in this case a customer own CA, so the root chain cert was imported). <strong>Yes</strong></li>
<li>can the agent resolve the SCOM server name you used while configuring the agent? Yes</li>
<li>Is the management group name we used in configuring the agent correct (case sensitive!)? <strong>Yes</strong></li>
<li>Is there a firewall blocking TCP 5723 from agent to SCOM server? <strong>Yes!</strong> OK this was fixed quickly, and verified with telnet. Still no communication! <strong>Moving on</strong>.</li>
<li>On the SCOM server did we import the CA root chain as trusted and did momcertimport run on the correct machine certificate with the correct FQDN for that server? <strong>Yes</strong></li>
<li>restart healthservice on both sides... <strong>Yes</strong>. No effect</li>
</ol>
<p>Man usually its name resolving, firewall and routing, certificate with wrong name, no certificate, or not trusted certificate. Pffff.</p>
<p>Something must be wrong with the SCOM server, I'm sure of it.</p>
<p>Next step, lets check out if all our SPN's are correct.</p>
<p><strong><em>setspn -L scomservername</em></strong></p>
<p>He wait a second, I see an entry like this:</p>
<p>MSOMSdkSvc/scomservername</p>
<p>Now this SCOM server is installed with the setting that the SDK service is running using a domain account. So this SPN should not be registered to the server itself but to the service account in the domain.</p>
<p><strong><em>setspn -L domain\sdkserviceaccount</em></strong></p>
<p>Sure enough the entry is not here for MSOMSdkSvc on this service for the mentioned server.</p>
<p>ALright, now we can not place thie correct SPN for this until we remove the wrong one. so we first delete the wrong ones.</p>
<p><strong><em>setspn -d MSOMSdkSvc/scomservername scomservername<br />
setspn -d MSOMSdkSvc/scomservername.domain.com scomservername</em></strong></p>
<p>Next we enter the SPNs on the service account:</p>
<p><strong><em>setspn -s MSOMSdkSvc/scomservername domain\serviceaccount<br />
setspn -s MSOMSdkSvc/scomservername.domain.com domain\serviceaccount</em></strong></p>
<p>And we check our results again with the setspn -L command.<br />
Looks fine now.<br />
Try again.<br />
Grrrrrrr.</p>
<p>It must be the certificate somehow.<br />
Open MMC Certificates, check the computer certificate. Is it valid, is it trusted, is it for the right purposes, does it have the correct name... Yes.<br />
momcertimport it again.. only 1 certificate to chose from and its the same one. Restart the Microsoft Management Agent service afterwards.</p>
<p>Same.</p>
<p>Wait a second. Let me check in the registry for this certificate. What Momcertimport does is not that difficult. It grabs two properties of the certificate and creates two registry keys for it for SCOM to use.</p>
<p>Aha! NO registry values!</p>
<p>Looking in this key there must be two entries relating to the certificate:<br />
<strong>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings</strong></p>
<p>Alright, so I will create them manually!<br />
What you do is open the properties of the certificate. You need the Thumbprint and the SerialNumber.</p>
<p>Create a New -> <strong>String Value</strong><br />
Name it: <strong>ChannelCertificateHash</strong><br />
Copy and paste the Thumbprint contents into it and remove the spaces in between</p>
<p>Create a New -> <strong>Binary Value</strong><br />
Name it: <strong>ChannelCertificateSerialNumber</strong><br />
Now go to the properties of the certificate and click the Serial Number. Its again a string of numbers and letters in pairs of 2. What you need to do is fill in the pairs of 2 in the registry Binary value IN REVERSE.<br />
Example:<br />
Original serial number in certificate = 68 00 AB CD 69 00 23<br />
What you enter in Binary field = 23 00 69 CD AB 00 68<br />
So the pair of 2 characters stays the same, but the order of the pairs in the total string is reversed.</p>
<p>Next I restarted the SCOM services.</p>
<p>Within the minute it started saying that: A device which is not part of this management group has attempted to access this Health Service. <br />
Those were the DMZ machines which just keep trying again and again!</p>
<p>Succes!</p>
<p>In the end it will have been the certificate rather than the SPN record which messed it up, but at least I could show what things I checked. When the SPN came up I just fixed it as well. In the end it WAS the certificate eventhough I felt that it was alright. Well when in doubt and ALL untrusted agents refuse to talk to this machine, and all trusted ones have no issue... triple-check the certificate and if SCO is actually using it!</p>
<p>Have fun monitoring!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/09/12/scom-dmz-or-workgroup-machines">Original post</a>.</small></p></div>Ran into a customer issue today whereby there was a nice clean SCOM 2012 R2 installation with UR's. Certificates arranged and momcertimport ran. On the agent machines in DMZ we had the agent installed, UR on it, certificate root imported, certificate meant for computer imported. momcertimport ran to get the correct certficate running. Yet no communication at all between agent and server. This is what I found:

So first checks are:

does the agent machine have the certificate for the name of the server (which in workgroup can be the short name and in a dmz domain a fully qualified name)? Yes

does the agent machine trust the CA which issued the certificate? (in this case a customer own CA, so the root chain cert was imported). Yes

can the agent resolve the SCOM server name you used while configuring the agent? Yes

Is the management group name we used in configuring the agent correct (case sensitive!)? Yes

Is there a firewall blocking TCP 5723 from agent to SCOM server? Yes! OK this was fixed quickly, and verified with telnet. Still no communication! Moving on.

On the SCOM server did we import the CA root chain as trusted and did momcertimport run on the correct machine certificate with the correct FQDN for that server? Yes

restart healthservice on both sides... Yes. No effect

Man usually its name resolving, firewall and routing, certificate with wrong name, no certificate, or not trusted certificate. Pffff.

Something must be wrong with the SCOM server, I'm sure of it.

Next step, lets check out if all our SPN's are correct.

setspn -L scomservername

He wait a second, I see an entry like this:

MSOMSdkSvc/scomservername

Now this SCOM server is installed with the setting that the SDK service is running using a domain account. So this SPN should not be registered to the server itself but to the service account in the domain.

setspn -L domain\sdkserviceaccount

Sure enough the entry is not here for MSOMSdkSvc on this service for the mentioned server.

ALright, now we can not place thie correct SPN for this until we remove the wrong one. so we first delete the wrong ones.

It must be the certificate somehow.
Open MMC Certificates, check the computer certificate. Is it valid, is it trusted, is it for the right purposes, does it have the correct name... Yes.
momcertimport it again.. only 1 certificate to chose from and its the same one. Restart the Microsoft Management Agent service afterwards.

Same.

Wait a second. Let me check in the registry for this certificate. What Momcertimport does is not that difficult. It grabs two properties of the certificate and creates two registry keys for it for SCOM to use.

Aha! NO registry values!

Looking in this key there must be two entries relating to the certificate:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings

Alright, so I will create them manually!
What you do is open the properties of the certificate. You need the Thumbprint and the SerialNumber.

Create a New -> String Value
Name it: ChannelCertificateHash
Copy and paste the Thumbprint contents into it and remove the spaces in between

Create a New -> Binary Value
Name it: ChannelCertificateSerialNumber
Now go to the properties of the certificate and click the Serial Number. Its again a string of numbers and letters in pairs of 2. What you need to do is fill in the pairs of 2 in the registry Binary value IN REVERSE.
Example:
Original serial number in certificate = 68 00 AB CD 69 00 23
What you enter in Binary field = 23 00 69 CD AB 00 68
So the pair of 2 characters stays the same, but the order of the pairs in the total string is reversed.

Next I restarted the SCOM services.

Within the minute it started saying that: A device which is not part of this management group has attempted to access this Health Service.
Those were the DMZ machines which just keep trying again and again!

Succes!

In the end it will have been the certificate rather than the SPN record which messed it up, but at least I could show what things I checked. When the SPN came up I just fixed it as well. In the end it WAS the certificate eventhough I felt that it was alright. Well when in doubt and ALL untrusted agents refuse to talk to this machine, and all trusted ones have no issue... triple-check the certificate and if SCO is actually using it!

]]>http://www.bictt.com/blogs/bictt.php/2016/09/12/scom-dmz-or-workgroup-machines#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=446How to make a SCOM implementation project successfulhttp://www.bictt.com/blogs/bictt.php/2016/06/21/how-to-make-a-scom
Tue, 21 Jun 2016 19:26:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2012SCOM 2016445@http://www.bictt.com/blogs/<p>I thought I would take a different approach to thinking about how to make a SCOM monitoring project a success. It is not about technical details or designs this time, but about a way to bring business and IT together into monitoring business related services and being in control of those processes. In a short blog post below I am touching upon some of those items.</p>
<p><a href="https://www.savision.com/resources/how-to-make-a-scom-implementation-project-successful">https://www.savision.com/resources/how-to-make-a-scom-implementation-project-successful</a></p>
<p>Enjoy <img src="http://www.bictt.com/blogs/rsc/smilies/icon_cool.gif" title="&amp;amp;#66;&amp;amp;#41;" alt="&amp;amp;#66;&amp;amp;#41;" class="middle" width="15" height="15" /><br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/06/21/how-to-make-a-scom">Original post</a>.</small></p></div>I thought I would take a different approach to thinking about how to make a SCOM monitoring project a success. It is not about technical details or designs this time, but about a way to bring business and IT together into monitoring business related services and being in control of those processes. In a short blog post below I am touching upon some of those items.

]]>http://www.bictt.com/blogs/bictt.php/2016/06/21/how-to-make-a-scom#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=445WSUS Console not able to connect Handshake failedhttp://www.bictt.com/blogs/bictt.php/2016/06/07/wsus-console-not-able-to
Tue, 07 Jun 2016 10:19:00 +0000Bob CornelissenSystem CenterWindows 2012444@http://www.bictt.com/blogs/<p>Last week I installed a fresh WSUS server for a customer of mine and because it needed to download lots of files after the approvals were done we left it for a few days. Today I came in and opened the WSUS console only to notice it refused to connect. Got an error like this one:</p>
<p><strong>The WSUS administration console was unable to connect to the WSUS Server via the remote API. <br />
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.<br />
The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.<br />
System.IO.IOException -- The handshake failed due to an unexpected packet format.</strong></p>
<p>After checking that the requires services were running the investigation starts. Lot of blog and forum posts from long ago to recent, all with different solutions.</p>
<p>I came across a post from 6 weeks or so ago which talks about an update KB3148812 which causes this behavior and also to cause an additional error where clients can not scan WSUS.</p>
<p>Now I could not find this KB patch installed on my system, however it mentioned manual steps to be done after applying the hotfix and those manual steps solved it indeed. Keep reading.<br />
A little more research found that the 3148812 has now been cancelled and another one came in its place KB3159706.</p>
<p><a href="https://support.microsoft.com/en-us/kb/3159706">KB3159706</a></p>
<p>This article describes what is going on and it contains manual steps to be followed! The first step solved the console not being able to connect. The second step is for HTTP Activation. And if you have SSL turned on there are a few more steps to follow.</p>
<p>Happy updating!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/06/07/wsus-console-not-able-to">Original post</a>.</small></p></div>Last week I installed a fresh WSUS server for a customer of mine and because it needed to download lots of files after the approvals were done we left it for a few days. Today I came in and opened the WSUS console only to notice it refused to connect. Got an error like this one:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.
System.IO.IOException -- The handshake failed due to an unexpected packet format.

After checking that the requires services were running the investigation starts. Lot of blog and forum posts from long ago to recent, all with different solutions.

I came across a post from 6 weeks or so ago which talks about an update KB3148812 which causes this behavior and also to cause an additional error where clients can not scan WSUS.

Now I could not find this KB patch installed on my system, however it mentioned manual steps to be done after applying the hotfix and those manual steps solved it indeed. Keep reading.
A little more research found that the 3148812 has now been cancelled and another one came in its place KB3159706.

This article describes what is going on and it contains manual steps to be followed! The first step solved the console not being able to connect. The second step is for HTTP Activation. And if you have SSL turned on there are a few more steps to follow.

]]>http://www.bictt.com/blogs/bictt.php/2016/06/07/wsus-console-not-able-to#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=444SCOM 2016 Features - Example - Network Monitoring MP Generatorhttp://www.bictt.com/blogs/bictt.php/2016/05/08/scom-2016-features-example-network
Sat, 07 May 2016 22:50:00 +0000Bob CornelissenSCOMSystem CenterSCOM 2016443@http://www.bictt.com/blogs/<p>In my previous post which introduced SCOM 2016 Features - Network Monitoring MP Generator I have shown you how to use the command syntax of the tool and why it was created. Now it is time for an example.</p>
<h3>The idea:</h3>
<p>Have fun monitoring some network device and see how the principles of the input XML file works.</p>
<p>Also because I have been doing a few presentations with a SCOMosaur theme, so we combine a little SCOM with a little dinosaur madness. You will see a few references of that here and there.</p>
<p>Mind I am using a simulated device which may not be fit for this purpose. Reason being the default simulated devices by the Jalasoft SNMP Device Simulator are all CERTIFIED. ANd we are of course creating monitoring for the non certified devices. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_crazy.gif" title="&amp;amp;#58;&amp;amp;#99;&amp;amp;#114;&amp;amp;#97;&amp;amp;#122;&amp;amp;#121;&amp;amp;#58;" alt="&amp;amp;#58;&amp;amp;#99;&amp;amp;#114;&amp;amp;#97;&amp;amp;#122;&amp;amp;#121;&amp;amp;#58;" class="middle" width="23" height="15" /> The OID's in the example below are from a APC UPS device, but for now we can use it as exampe clearly enough.</p>
<h3>Prerequisites</h3>
<ul>
<li>First of all I am using SCOM 2016 TP5 here, which is the first version to include this feature.</li>
<li>I am using Jalasoft SNMP Device Simulator on another machine to simulate a few network devices of different types.</li>
<li>Of course make sure both sides can reach eachother with ping (ICMP) and SNMP.</li>
<li>I am using iReasoning MIB Browser to browse the SNMP tree on the device selected to determine we actually have data there and the right OID's.</li>
</ul>
<p>Next on the list is to discover the devices in SCOM by creating a Device Discovery and adding the device IP addresses and SNMP community string to it and letting SCOM discover the devices.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGen1.png" alt="" title="" /></p>
<h3>The XML input file</h3>
<p>Actually the idea here is relatively the same as a simple management pack setup.</p>
<ul>
<li>A manifest with management pack name and version</li>
<li>A Device definition</li>
<li><p>A Device discovery>/li></p>
<li>Device Components</li>
<li>Device &#3593;omponent Discovery</li>
<li>Rules (these are collection rules)</li>
<li>Monitors</li>
</li></ul>
<h4>Starting the Manifest</h4>
<p>First we are going to define the start to the input file by the Root tag.<br />
Next we define the Display Name and Version for the management pack.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGenA.png" alt="" title="" /></p>
<p>Name and Version are mandatory and an optional tag is KeyToken.</p>
<h4>Device Definition and Discovery</h4>
<p>The next thing to do is create an entry for each type of device and to make a device discovery for it.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGenB.png" alt="" title="" /></p>
<p>First we define a name for the device.<br />
Next we jump into a discovery for it.</p>
<p>The discovery covers the SysObjId tag which points to the unique device identifier for the device type.<br />
Next we have to specify a device type. The following types are supported for now: Switch, Router, Firewall, LoadBalancer.<br />
Next fill out the Vendor and Model.</p>
<h4>Components and Discovery</h4>
<p>Now it is time to look into the components of the device. For example Processors or Fans. After we dicover those we can target monitors and rules to those components in order to monitor them.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGenC.png" alt="" title="" /></p>
<p>We are opening the Components tag here, and it will be closed all the way at the end of the story.</p>
<p>Next we define our first component.<br />
There are a few component types supported at this moment: Processor, Memory, Fan, Voltage Sensor, Power Supply, Temperature Sensor.<br />
And we give it a name of course.</p>
<p>Now we define the OIDs we are interested in. These OIDs will have to be there for each instance of the Component we define. One of these will be used in the discovery of the component and the same one and/or others we can use for rules and monitors. At least we have defined all of them here and given them original names.</p>
<p>We do not have to enter the index number of each component instance. For example...</p>
<p>fan2 = 1.3.6.1<br />
fan2 = 1.3.6.2<br />
fan3 = 1.3.6.3</p>
<p>In the very short OID example above you can see the last number is the index number for each fan. So we only need to specify 1.3.6 in this case and the discoveries will find each instance for you.</p>
<p>In this case I named the component the Tricera Environment and gave it a Processor type, just because it needs to conform to the default types at this moment.</p>
<p>The 3 used OID's are a Temperature OID, a Usage OID (which happens to be the amount of battery percent left for the UPS), and an overal state indicator OID for this component.<br />
For the step coming after this, it means we have two performance counters we can collect (but I will collect all three in the example), and also we can create state monitors based on the values.</p>
<p>Lastly the ComponentDiscovery is a pointer to which of the already defined OIDs is a component indicator. In this case I use the state indicator OID. If that one is there (with an index number behind it) an instance of the component will be created or as many as needed.</p>
<h4>Monitoring and Rules</h4>
<p>Alright now the monitoring needs to start for the component we are still at.</p>
<p>For starters we set the Monitoring tag. We will close that tag later after we have defined all rules and monitors.</p>
<p>Next we start with the rules:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGenD.png" alt="" title="" /></p>
<p>We open the Rules tag and next define the performance collection rules as you see here. I used short names for it and pointed each rule to the name of the OID we defined already. See how easy that part is?</p>
<p>Lets go to the monitors now...</p>
<h4>Monitors</h4>
<p>First again we start it off with the Monitors tag which we will close off after the last monitor we add.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGenE.png" Width="700" alt="" title="" /></p>
<p>Alright, first UnitMonitor. We give it a name. In this case Triceratops Environment Status.</p>
<p>It is a two state monitor so we define two expressions.<br />
Both of them point (in black letters in the middle here) <br />
to the name of the OID containing the state indication.<br />
The first expression is for success (green state) and uses 2 or less. And the second expression uses anything higher than 2 to set it to an error state.</p>
<p>So i repeated that two more times for the Temperature and set it to 30 degrees as maximum acceptable value, otherwise our dino gets sunburn. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_lalala.gif" title="&amp;amp;#58;&amp;amp;#108;&amp;amp;#97;&amp;amp;#108;&amp;amp;#97;&amp;amp;#108;&amp;amp;#97;&amp;amp;#58;" alt="&amp;amp;#58;&amp;amp;#108;&amp;amp;#97;&amp;amp;#108;&amp;amp;#97;&amp;amp;#108;&amp;amp;#97;&amp;amp;#58;" class="middle" width="26" height="15" /><br />
And the third monitor is using the TriEnvUsage OID to determine if it is at 100 or below.</p>
<p>And now as promissed we close the whole load of tags off:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGenF.png" alt="" title="" /></p>
<h3>The conversion process</h3>
<p>Alright we now have an XML input file with all the stuff we need. Now we need to use the Network Monitoring MP Generator tool to convert the input file to a management pack XML file.</p>
<p>Open a command prompt and go to<br />
<strong>%Program Files%\Microsoft System Center 2016\Operations Manager\</strong></p>
<p>I placed my input file in the folder C:\SCOMosaur with file name dino.xml and I will allow the output file to be written to that folder as well.</p>
<p>I run the command:<br />
<strong>NetMonMPGenerator.exe -InputFile "C:\SCOMosaur\dinos.xml" -OutputDir "C:\SCOMosaur"</strong></p>
<p>The program will let you know if there are any errors and it will confirm if it finished creating the management pack file.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/NWMPGen2.png" alt="" title="" /></p>
<p>From here you simply import the management pack and as usual wait a little bit.</p>
<h4>Conclusion</h4>
<p>Well it is a lot easier to create this input file with the basics we need to be monitoring the custom device. The total input XML file was about 60 lines if we take away the empty lines. The resulting management pack was 690 lines long.</p>
<p>There will be a complete example coming from the product team very soon now, including comments in the file and such. This is just a quick starter to help you play with this feature.</p>
<p>This is meant to get NOT Certified devices in a more complete monitoring state as if it were CERTIFIED. As you have seen the device types and component types are for the moment a limited set.</p>
<p>My idea around this feature is that the possibilities might still expand in due time to be more and more flexible. Also it would be nice to see a graphic interface to build up the input XML and of course that would immediately build up the management pack. However those kind of things take a lot of time to build. I consider the current solution a nice go between.</p>
<h4>Back to the <a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">SCOM 2016 Features - Overview</a> post!</h4>
<p>Hope you all have fun!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/05/08/scom-2016-features-example-network">Original post</a>.</small></p></div>In my previous post which introduced SCOM 2016 Features - Network Monitoring MP Generator I have shown you how to use the command syntax of the tool and why it was created. Now it is time for an example.

The idea:

Have fun monitoring some network device and see how the principles of the input XML file works.

Also because I have been doing a few presentations with a SCOMosaur theme, so we combine a little SCOM with a little dinosaur madness. You will see a few references of that here and there.

Mind I am using a simulated device which may not be fit for this purpose. Reason being the default simulated devices by the Jalasoft SNMP Device Simulator are all CERTIFIED. ANd we are of course creating monitoring for the non certified devices. The OID's in the example below are from a APC UPS device, but for now we can use it as exampe clearly enough.

Prerequisites

First of all I am using SCOM 2016 TP5 here, which is the first version to include this feature.

I am using Jalasoft SNMP Device Simulator on another machine to simulate a few network devices of different types.

Of course make sure both sides can reach eachother with ping (ICMP) and SNMP.

I am using iReasoning MIB Browser to browse the SNMP tree on the device selected to determine we actually have data there and the right OID's.

Next on the list is to discover the devices in SCOM by creating a Device Discovery and adding the device IP addresses and SNMP community string to it and letting SCOM discover the devices.

The XML input file

Actually the idea here is relatively the same as a simple management pack setup.

A manifest with management pack name and version

A Device definition

A Device discovery>/li>

Device Components

Device ฉomponent Discovery

Rules (these are collection rules)

Monitors

Starting the Manifest

First we are going to define the start to the input file by the Root tag.
Next we define the Display Name and Version for the management pack.

Name and Version are mandatory and an optional tag is KeyToken.

Device Definition and Discovery

The next thing to do is create an entry for each type of device and to make a device discovery for it.

First we define a name for the device.
Next we jump into a discovery for it.

The discovery covers the SysObjId tag which points to the unique device identifier for the device type.
Next we have to specify a device type. The following types are supported for now: Switch, Router, Firewall, LoadBalancer.
Next fill out the Vendor and Model.

Components and Discovery

Now it is time to look into the components of the device. For example Processors or Fans. After we dicover those we can target monitors and rules to those components in order to monitor them.

We are opening the Components tag here, and it will be closed all the way at the end of the story.

Next we define our first component.
There are a few component types supported at this moment: Processor, Memory, Fan, Voltage Sensor, Power Supply, Temperature Sensor.
And we give it a name of course.

Now we define the OIDs we are interested in. These OIDs will have to be there for each instance of the Component we define. One of these will be used in the discovery of the component and the same one and/or others we can use for rules and monitors. At least we have defined all of them here and given them original names.

We do not have to enter the index number of each component instance. For example...

fan2 = 1.3.6.1
fan2 = 1.3.6.2
fan3 = 1.3.6.3

In the very short OID example above you can see the last number is the index number for each fan. So we only need to specify 1.3.6 in this case and the discoveries will find each instance for you.

In this case I named the component the Tricera Environment and gave it a Processor type, just because it needs to conform to the default types at this moment.

The 3 used OID's are a Temperature OID, a Usage OID (which happens to be the amount of battery percent left for the UPS), and an overal state indicator OID for this component.
For the step coming after this, it means we have two performance counters we can collect (but I will collect all three in the example), and also we can create state monitors based on the values.

Lastly the ComponentDiscovery is a pointer to which of the already defined OIDs is a component indicator. In this case I use the state indicator OID. If that one is there (with an index number behind it) an instance of the component will be created or as many as needed.

Monitoring and Rules

Alright now the monitoring needs to start for the component we are still at.

For starters we set the Monitoring tag. We will close that tag later after we have defined all rules and monitors.

Next we start with the rules:

We open the Rules tag and next define the performance collection rules as you see here. I used short names for it and pointed each rule to the name of the OID we defined already. See how easy that part is?

Lets go to the monitors now...

Monitors

First again we start it off with the Monitors tag which we will close off after the last monitor we add.

Alright, first UnitMonitor. We give it a name. In this case Triceratops Environment Status.

It is a two state monitor so we define two expressions.
Both of them point (in black letters in the middle here)
to the name of the OID containing the state indication.
The first expression is for success (green state) and uses 2 or less. And the second expression uses anything higher than 2 to set it to an error state.

So i repeated that two more times for the Temperature and set it to 30 degrees as maximum acceptable value, otherwise our dino gets sunburn.
And the third monitor is using the TriEnvUsage OID to determine if it is at 100 or below.

And now as promissed we close the whole load of tags off:

The conversion process

Alright we now have an XML input file with all the stuff we need. Now we need to use the Network Monitoring MP Generator tool to convert the input file to a management pack XML file.

Open a command prompt and go to%Program Files%\Microsoft System Center 2016\Operations Manager\

I placed my input file in the folder C:\SCOMosaur with file name dino.xml and I will allow the output file to be written to that folder as well.

I run the command:NetMonMPGenerator.exe -InputFile "C:\SCOMosaur\dinos.xml" -OutputDir "C:\SCOMosaur"

The program will let you know if there are any errors and it will confirm if it finished creating the management pack file.

From here you simply import the management pack and as usual wait a little bit.

Conclusion

Well it is a lot easier to create this input file with the basics we need to be monitoring the custom device. The total input XML file was about 60 lines if we take away the empty lines. The resulting management pack was 690 lines long.

There will be a complete example coming from the product team very soon now, including comments in the file and such. This is just a quick starter to help you play with this feature.

This is meant to get NOT Certified devices in a more complete monitoring state as if it were CERTIFIED. As you have seen the device types and component types are for the moment a limited set.

My idea around this feature is that the possibilities might still expand in due time to be more and more flexible. Also it would be nice to see a graphic interface to build up the input XML and of course that would immediately build up the management pack. However those kind of things take a lot of time to build. I consider the current solution a nice go between.

]]>http://www.bictt.com/blogs/bictt.php/2016/05/08/scom-2016-features-example-network#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=443SCOM 2016 Features - Console Performance Improvementshttp://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-console-performance
Sat, 07 May 2016 13:11:00 +0000Bob CornelissenSCOMSystem CenterSCOM 2016442@http://www.bictt.com/blogs/<p>Obviously the product team has received some feedback in the past on the performance of the SCOM console. It is not a secret this is not the fastest tool out there when opening it, changing views or refreshing even. This is the most apparent in larger environments of course. We can name several good reasons for this which we will not dive into now, but there was room for improvement even when taking the good reasons into account. Now they have started work to increase the speed of certain views within the SCOM console and expand from there.</p>
<p>In SCOM 2016 TP5 first the Alert views were looked at and worked on.</p>
<ul><li>Alert view is optimized to load efficiently</li>
<li>Alert tasks and alert details in alert view is optimized to load efficiently</li>
<li>Context menus of an alert in alert view is optimized to load efficiently</li></ul>
<p>Alert views are one of the most used in SCOM, so this is where they started. Meanwhile work is done on other types of views as well, such as State and Performance views. These improvements will arrive later than TP5.</p>
<p>Of course these changes are likely most apparent in larger views and busy environments.</p>
<p>I do not have numbers or percentages of improvement for you yet. We might really start to notice a change in RTM production environments of a certain size later. Still I am very happy this bit of feedback was picked up and worked on.</p>
<h4>Back to the <a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">SCOM 2016 Features - Overview</a> post!</h4>
<p>Wishing you speedy monitoring!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-console-performance">Original post</a>.</small></p></div>Obviously the product team has received some feedback in the past on the performance of the SCOM console. It is not a secret this is not the fastest tool out there when opening it, changing views or refreshing even. This is the most apparent in larger environments of course. We can name several good reasons for this which we will not dive into now, but there was room for improvement even when taking the good reasons into account. Now they have started work to increase the speed of certain views within the SCOM console and expand from there.

In SCOM 2016 TP5 first the Alert views were looked at and worked on.

Alert view is optimized to load efficiently

Alert tasks and alert details in alert view is optimized to load efficiently

Context menus of an alert in alert view is optimized to load efficiently

Alert views are one of the most used in SCOM, so this is where they started. Meanwhile work is done on other types of views as well, such as State and Performance views. These improvements will arrive later than TP5.

Of course these changes are likely most apparent in larger views and busy environments.

I do not have numbers or percentages of improvement for you yet. We might really start to notice a change in RTM production environments of a certain size later. Still I am very happy this bit of feedback was picked up and worked on.

]]>http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-console-performance#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=442SCOM 2016 Features - Network Monitoring MP Generatorhttp://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-network-monitoring
Sat, 07 May 2016 12:41:00 +0000Bob CornelissenSCOMSystem CenterSCOM 2016440@http://www.bictt.com/blogs/<p>In SCOM 2012 there was a difference between Certified devices and generic devices. When you added a network device to SCOM it would show up as on of both. The certified devices had additional monitoring applied to them such as Processor and Memory monitoring, while the generic devices were much more basic in their monitoring possibilities. To get around that and/or to create additional monitoring for a devices components and add monitors and rules to them was quite difficult to achieve. I know I spent a week creating a custom management pack for a customer with a few classes, discoveries, monitors and rules, also because the amount of information was very limited but also because it is such a hard process to get through. Plus I am not really much of a developer to be honest. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_rolleyes.gif" title="&amp;amp;#58;&amp;amp;#114;&amp;amp;#111;&amp;amp;#108;&amp;amp;#108;&amp;amp;#58;" alt="&amp;amp;#58;&amp;amp;#114;&amp;amp;#111;&amp;amp;#108;&amp;amp;#108;&amp;amp;#58;" class="middle" width="15" height="15" /> Lets say in that week a lot of <img src="http://www.bictt.com/blogs/rsc/smilies/icon_censored.gif" title="&amp;amp;#62;&amp;amp;#58;&amp;amp;#88;&amp;amp;#88;" alt="&amp;amp;#62;&amp;amp;#58;&amp;amp;#88;&amp;amp;#88;" class="middle" width="34" height="15" /> words were used and thankfully I got great tips from my MVP friend Daniele Grandini.</p>
<p>Now however we are getting some help from SCOM 2016!</p>
<h3>What is the process?</h3>
<p>What you do is create a custom formatted XML file. This contains some basic information you are used to while creating management packs, such as a name and version number. Next you define Discoveries for devices and components. You define the SNMP OID's to look for. And you create Rules which look at the defined OID's and collect their data, and you create monitors which also look at predefined OID's and have expressions connected to them which look easier than the ones you used to create in custom packs to determine state of the components.</p>
<p>The tool we are talking about converts this structured XML file into a management pack XML file which can be used by SCOM. It is a simple command line executable with very few options and it will check for mistakes in the input XML and notify you.</p>
<h3>Prerequisites:</h3>
<p>The first thing which needs to happen is that you discover the targetted device first as an SNMP network device in SCOM through the usual method. The management pack which will be created using this tool would only work on discovered and monitored network devices. We are just expanding the default monitoring set to include more specific monitoring.</p>
<h3>Where is it found:</h3>
<p>%Program Files%\Microsoft System Center 2016\Operations Manager\Server\NetMonMpGenerator.exe</p>
<h3>The command line options:</h3>
<p>-InputFile or -I is used to pass the filename of the XML file you created (can add a path to that within quotes).</p>
<p>-OuputDir or -O is the directory where the output of this tool will be written to (can use a full path between quotes). The tool will write the management pack file to this directory.</p>
<p>-Overwrite or -W will overwrite an existing MP with the same name if found in the output directory.</p>
<p>-Help or -H can be used to display short usage help for the executable.</p>
<h3>Example of command line tool usage:</h3>
<p>I opened up a command prompt and went to the following directory</p>
<p><strong>C:\Program Files\Microsoft System Center 2016\Operations Manager\Server</strong></p>
<p>Next I ran this command (and the directories already existed)</p>
<p><strong>NetMonMPGenerator.exe -InputFile "C:\SCOMosaur\dinos.xml" -OutputDir "C:\SCOMosaur"</strong></p>
<p>And a few seconds later I got his message:</p>
<p><strong>Management pack created: C:\SCOMosaur\System.NetworkManagement.SCOMosaursNetworkPack.xml</strong></p>
<p>This file can be imported into your SCOM environmet to start monitoring.</p>
<h3>Full example</h3>
<p>Now I know you are going to ask me for a full example where I create the input XML as well.</p>
<p><a href="http://www.bictt.com/blogs/bictt.php/2016/05/08/scom-2016-features-example-network">Example of the SCOM 2016 Network Monitoring MP Generator</a> where I will be attempting to monitor a Triceratops somehow.</p>
<p><img src="http://www.bictt.com/blogs/rsc/smilies/icon_question.gif" title="&amp;amp;#58;&amp;amp;#63;&amp;amp;#58;" alt="&amp;amp;#58;&amp;amp;#63;&amp;amp;#58;" class="middle" width="15" height="15" /> This of course relates to me being one of the SCOMosaurs and staying on the Theme. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_razz.gif" title="&amp;amp;#58;&amp;amp;#112;" alt="&amp;amp;#58;&amp;amp;#112;" class="middle" width="15" height="15" /></p>
<h4>Back to the <a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">SCOM 2016 Features - Overview</a> post!</h4>
<p>Enjoy!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-network-monitoring">Original post</a>.</small></p></div>In SCOM 2012 there was a difference between Certified devices and generic devices. When you added a network device to SCOM it would show up as on of both. The certified devices had additional monitoring applied to them such as Processor and Memory monitoring, while the generic devices were much more basic in their monitoring possibilities. To get around that and/or to create additional monitoring for a devices components and add monitors and rules to them was quite difficult to achieve. I know I spent a week creating a custom management pack for a customer with a few classes, discoveries, monitors and rules, also because the amount of information was very limited but also because it is such a hard process to get through. Plus I am not really much of a developer to be honest. Lets say in that week a lot of words were used and thankfully I got great tips from my MVP friend Daniele Grandini.

Now however we are getting some help from SCOM 2016!

What is the process?

What you do is create a custom formatted XML file. This contains some basic information you are used to while creating management packs, such as a name and version number. Next you define Discoveries for devices and components. You define the SNMP OID's to look for. And you create Rules which look at the defined OID's and collect their data, and you create monitors which also look at predefined OID's and have expressions connected to them which look easier than the ones you used to create in custom packs to determine state of the components.

The tool we are talking about converts this structured XML file into a management pack XML file which can be used by SCOM. It is a simple command line executable with very few options and it will check for mistakes in the input XML and notify you.

Prerequisites:

The first thing which needs to happen is that you discover the targetted device first as an SNMP network device in SCOM through the usual method. The management pack which will be created using this tool would only work on discovered and monitored network devices. We are just expanding the default monitoring set to include more specific monitoring.

]]>http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-network-monitoring#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=440SCOM 2016 Features - Overviewhttp://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview
Sat, 07 May 2016 11:56:00 +0000Bob CornelissenSCOMSystem CenterSCOM 2016441@http://www.bictt.com/blogs/<p>With this post I am giving you an overview of the new features in SCOM 2016 which have been added currently. I bet you thought not much was happening with SCOM for the 2016 version right? Well I can tell you there is still a lot going on. Below you will find some of the things which have been worked on.</p>
<p>A number of features were added in early Technical Preview Releases (TP3 and TP4), such as Scheduled Maintenance Mode and Nano Server Agent. I will cover those in the series below as well, but first I will focus on the items added in TP5.</p>
<p>The following features and items were added since Technical Preview 5 of SCOM 2016 (Start of May 2016 timeframe) and we want YOU to know about them <img src="http://www.bictt.com/blogs/rsc/smilies/icon_cool.gif" title="&amp;amp;#66;&amp;amp;#41;" alt="&amp;amp;#66;&amp;amp;#41;" class="middle" width="15" height="15" /> and you can use the links for each feature to dive more deeply into these features and improvements:</p>
<ul>
<li><h4><a href="http://www.bictt.com/blogs/bictt.php/2016/04/27/scom-2016-features-management-pack">Management Pack Updates and Recommendations</a></h4>This gives insights into wether there are currently management packs in use which need updating, and it will try to find Roles and Features on monitored servers where you have not imported the corresponding management pack.
</li>
<li><h4><a href="http://www.bictt.com/blogs/bictt.php/2016/04/30/scom-2016-features-management-pack-1">Management Pack Tuning / Alert Data Management</a></h4>This feature uses alert data from your own environment to determine which management packs and monitors you need to take a look at for potential fine tuning and gives you easy access to create overrides for them.
</li>
<li><h4><a href="http://www.bictt.com/blogs/bictt.php/2016/05/02/scom-2016-features-scalability-for">Scalability for Unix/Linux Monitoring</a></h4>This is a setting you can change to make SCOM Linux/Unix monitoring use a slightly different monitoring method which makes it suitable to scale the amount of monitored Linux servers on a SCOM management server to twice the number of agents.
</li>
<li><h4><a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-network-monitoring">Network Monitoring MP Generator</a></h4>This tool is meant to make the creation of custom monitoring management packs for network devices easier. You can create a custom, simpler, XML file containing the device/discovery/monitoring logic you need and have this tool convert your XML file into a management pack ready to use for SCOM.
</li>
<li><h4><a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-console-performance">Console UI Performance Improvements</a></h4>Improvements are being made in a number of views to make the performance of the SCOM console better. Work is being done on several types of views and items. In TP5 this covers the Alert View.
</li>
</ul>
<p>Now there are also other SCOM 2016 improvements on the list:</p>
<ul>
<li><h4><a href="https://blogs.msdn.microsoft.com/nicole_welch/2015/07/17/scheduling-maintenance-mode-scom-2016-tech-preview-2/" target="_blank">Scheduled Maintenance Mode</a></h4>Did this finally happen? Yes there is now an interface in the SCOM Admin pane where you can specify multiple schedules and place objects into maintenance mode based on schedules. This link will open an external site with some screenshots of the solution as it was in an earlier technical preview.
</li>
<li><h4><a href="https://technet.microsoft.com/en-us/library/mt622341(v=sc.16).aspx" target="_blank">Nano Server Agent</a></h4>Nano Server is a new type of server meant to run specific workloads and meant to be as small as possible. This means little attack surface, less files and size of the operating system image, less updates and restarts needed. In order to monitor Nano Server an adjusted agent installation was created and custom management packs will be added to monitor specific workloads. Things around this Nano agent and its deployment and monitoring possibilities are still being worked on continuously and this is a good thing because we will be seeing more of this technology. This link will open a new tab to a Technet site explaining how it works (TP4 version documentation).
</li>
<li><h4><a href="http://kevingreeneitblog.blogspot.nl/2016/04/the-new-scom-partner-solutions-area-is.html" target="_blank">Partner Solutions</a></h4>Added to SCOM 2012 R2 UR8 and up and to SCOM 2016 TP5 and up is an additional entry in the SCOM Admin pane where you will find Third Party partner solutions and products and see a link to a product page on the partners website. This link will open a new tab to a blog post from Kevin Greene on the same subject.
</li>
</ul>
<h3>Give feedback on SCOM features</h3>
<p>By the way, feel free to interact with the product team by giving them feedback:<br />
<a href="http://systemcenterOM.uservoice.com">The SCOM User Voice site</a></p>
<p>For example to get the Scheduled Maintenance Mode feature to move from the Admin pane to the Monitoring pane somehow so Operator level SCOM users can use the feature as well and not only SCOM admins <img src="http://www.bictt.com/blogs/rsc/smilies/icon_wink.gif" title="&amp;amp;#59;&amp;amp;#41;" alt="&amp;amp;#59;&amp;amp;#41;" class="middle" width="15" height="15" /> Assuming of course most Operators and Service Desk staff are not heavy PowerSHell users (yet).</p>
<h3>Wrap-up</h3>
<p>This and more is going on in SCOM 2016. I will be writing more about these subjects soon on my blog and in a future book and elsewhere probably.<br />
Also be sure to watch for my presentations on SCOM 2016 at conferences (MMS 2016 Minneapolis on 17 May) and user group meetings (WMUG NL in May). I will be recording one and posting it up soon. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_idea.gif" title="&amp;amp;#58;&amp;amp;#105;&amp;amp;#100;&amp;amp;#101;&amp;amp;#97;&amp;amp;#58;" alt="&amp;amp;#58;&amp;amp;#105;&amp;amp;#100;&amp;amp;#101;&amp;amp;#97;&amp;amp;#58;" class="middle" width="15" height="15" /></p>
<p>Enjoy being in control of your network infrastructure!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">Original post</a>.</small></p></div>With this post I am giving you an overview of the new features in SCOM 2016 which have been added currently. I bet you thought not much was happening with SCOM for the 2016 version right? Well I can tell you there is still a lot going on. Below you will find some of the things which have been worked on.

A number of features were added in early Technical Preview Releases (TP3 and TP4), such as Scheduled Maintenance Mode and Nano Server Agent. I will cover those in the series below as well, but first I will focus on the items added in TP5.

The following features and items were added since Technical Preview 5 of SCOM 2016 (Start of May 2016 timeframe) and we want YOU to know about them and you can use the links for each feature to dive more deeply into these features and improvements:

This gives insights into wether there are currently management packs in use which need updating, and it will try to find Roles and Features on monitored servers where you have not imported the corresponding management pack.

This feature uses alert data from your own environment to determine which management packs and monitors you need to take a look at for potential fine tuning and gives you easy access to create overrides for them.

This is a setting you can change to make SCOM Linux/Unix monitoring use a slightly different monitoring method which makes it suitable to scale the amount of monitored Linux servers on a SCOM management server to twice the number of agents.

This tool is meant to make the creation of custom monitoring management packs for network devices easier. You can create a custom, simpler, XML file containing the device/discovery/monitoring logic you need and have this tool convert your XML file into a management pack ready to use for SCOM.

Did this finally happen? Yes there is now an interface in the SCOM Admin pane where you can specify multiple schedules and place objects into maintenance mode based on schedules. This link will open an external site with some screenshots of the solution as it was in an earlier technical preview.

Nano Server is a new type of server meant to run specific workloads and meant to be as small as possible. This means little attack surface, less files and size of the operating system image, less updates and restarts needed. In order to monitor Nano Server an adjusted agent installation was created and custom management packs will be added to monitor specific workloads. Things around this Nano agent and its deployment and monitoring possibilities are still being worked on continuously and this is a good thing because we will be seeing more of this technology. This link will open a new tab to a Technet site explaining how it works (TP4 version documentation).

Added to SCOM 2012 R2 UR8 and up and to SCOM 2016 TP5 and up is an additional entry in the SCOM Admin pane where you will find Third Party partner solutions and products and see a link to a product page on the partners website. This link will open a new tab to a blog post from Kevin Greene on the same subject.

Give feedback on SCOM features

For example to get the Scheduled Maintenance Mode feature to move from the Admin pane to the Monitoring pane somehow so Operator level SCOM users can use the feature as well and not only SCOM admins Assuming of course most Operators and Service Desk staff are not heavy PowerSHell users (yet).

Wrap-up

This and more is going on in SCOM 2016. I will be writing more about these subjects soon on my blog and in a future book and elsewhere probably.
Also be sure to watch for my presentations on SCOM 2016 at conferences (MMS 2016 Minneapolis on 17 May) and user group meetings (WMUG NL in May). I will be recording one and posting it up soon.

Enjoy being in control of your network infrastructure!
Bob Cornelissen

]]>http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=441SCOM 2016 Features - Scalability for Unix/Linux monitoringhttp://www.bictt.com/blogs/bictt.php/2016/05/02/scom-2016-features-scalability-for
Mon, 02 May 2016 19:47:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2016439@http://www.bictt.com/blogs/<p>In SCOM 2012 R2 we were able to monitor up to 500 Unix/Linux agents per management server or about 100 through a gateway. To be honest I think that was already stretching it, unless the amount of workflows was kept to a minimum.</p>
<p>In SCOM 2016 work has been done to be able to scale up to higher numbers for this. Up to twice as much actually IF you use another monitoring method for cross platform monitoring. I will show you what I mean below.</p>
<p>In SCOM 2012 we were using WSMAN Sync API's to connect to the Linux agents and pull data from them. This is also the default setting for SCOM 2016.<br />
However if you have a large Linux/Unix deployment that you wish to monitoring using SCOM 2016 there is a registry key you can set on the management server which will change the behavior of monitoring to use ASync MI API's. MI in this case stands for Windows Management Infrastructure which is based on CIM standards (the SCOM OMI agent is as well).</p>
<p>In order to get the SCOM management servers to use the new method (and thus scale up more!) you add a registry key to the management server which is monitoring the cross-platform agents. </p>
<p>Create this entry:<br />
HKLM:\Software\Microsoft\Microsoft Operations Manager\3.0\Setup\UseMIAPI</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/om16usemiapi.png" alt="" title="" /></p>
<p>After you do this I suggest you restart the Microsoft Monitoring Agent Service (also called the Healthservice) to be sure this goes into effect. Make sure all your management servers used for this purpose use the same method.</p>
<p>I think if you are monitoring a significant number of Linux/Unix agents in your environment (hundreds) that you change this setting on your SCOM 2016 management servers.</p>
<h4>Back to the <a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">SCOM 2016 Features - Overview</a> post!</h4>
<p>Happy crossplat monitoring!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/05/02/scom-2016-features-scalability-for">Original post</a>.</small></p></div>In SCOM 2012 R2 we were able to monitor up to 500 Unix/Linux agents per management server or about 100 through a gateway. To be honest I think that was already stretching it, unless the amount of workflows was kept to a minimum.

In SCOM 2016 work has been done to be able to scale up to higher numbers for this. Up to twice as much actually IF you use another monitoring method for cross platform monitoring. I will show you what I mean below.

In SCOM 2012 we were using WSMAN Sync API's to connect to the Linux agents and pull data from them. This is also the default setting for SCOM 2016.
However if you have a large Linux/Unix deployment that you wish to monitoring using SCOM 2016 there is a registry key you can set on the management server which will change the behavior of monitoring to use ASync MI API's. MI in this case stands for Windows Management Infrastructure which is based on CIM standards (the SCOM OMI agent is as well).

In order to get the SCOM management servers to use the new method (and thus scale up more!) you add a registry key to the management server which is monitoring the cross-platform agents.

After you do this I suggest you restart the Microsoft Monitoring Agent Service (also called the Healthservice) to be sure this goes into effect. Make sure all your management servers used for this purpose use the same method.

I think if you are monitoring a significant number of Linux/Unix agents in your environment (hundreds) that you change this setting on your SCOM 2016 management servers.

]]>http://www.bictt.com/blogs/bictt.php/2016/05/02/scom-2016-features-scalability-for#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=439SCOM 2016 Features – Management Pack Tuninghttp://www.bictt.com/blogs/bictt.php/2016/04/30/scom-2016-features-management-pack-1
Sat, 30 Apr 2016 09:52:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2016438@http://www.bictt.com/blogs/<p>This blog post will introduce the new SCOM 2016 feature of Management Pack Tuning. It is meant to use alert data from SCOM to determine where tuning may be beneficial. The screenshots are based on the TP5 release of SCOM 2016 and could be changed in a few months as work continues to be done to several features of SCOM.</p>
<p>The way we often used to tune out alerts and management packs was by a few methods. The first method is to import the management packs and sit back and see the alerts flowing in and taking them on one at a time. <br />
The second method was by using reporting:<br />
<br />
<img src="http://www.bictt.com/blogs/media/blogs/BICTT/Ddat1.png" alt="" title="" /></p>
<p>The two Data Volume reports are actually very useful in going through which management packs cause the most data volume (number of performance counter entries collected, number of alerts, number of events&#8230;.). And they have possibility to drill down into them as well to see which workflows are the busy ones. After this you could go into SCOM and find the rules and monitors and tune them to your liking.</p>
<p>There are also reports in the SCC Health Check Reports library created by Oskar Landman and Pete Zerger which we can use for this. It is called SCOM Health Check Reports V3 now and can be found in the Technet Gallery.</p>
<h3>A new solution</h3>
<p>Now in order to facilitate alert tuning for you the product team has worked on a custom solution to help you analyze the alerts and which machines cause the most of this and tune the workflows directly from there.</p>
<p>Starting SCOM 2016 TP5 Tech Preview you can now go into the SCOM Administration pane and in the Management Packs folder you will find &#8220;Tune Management Packs&#8221; now.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Ddat2.png" alt="" title="" /></p>
<p>To the right hand side in the tasks pane you will find "Identify management packs to tune" where you can set a time range for analysis. Otherwise just wait 2 days and things will surface.</p>
<p>Now in the middle we see I currently have one management pack which may need tuning and it has given us 32 alerts in a limited amount of time. SO we press the "Tune Alerts" task now!</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Ddat3.png" alt="" title="" /></p>
<p>From here we can see which alert(s) came up during this period. To the right of what is in this screenshot there is also the name of the Rule or Monitor which caused this alert.</p>
<p>Now which possibilities do we have from here? If we right-click we get the following options:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Ddat4.png" alt="" title="" /></p>
<p>The Copy function will give you the possibility to have a clear text cop of the selected fields so you can put them in a notepad or Excel sheet.</p>
<p>The Overrides option gives you the usual overrides options where you can override the monitor for all objects of this class or a group or single objects.<br />
Of course we can directly open the properties for the monitor right from here.</p>
<p>ANd lastly there is the option to "View or overrides sources" which will open up a popup where you can see which instances of the targetted class (here Logical Disk) have caused the alerts.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/Ddat5.png" alt="" title="" /></p>
<p>From here we can tune the selected monitor for the specific objects which caused the alerts.</p>
<p>As I said at the start of the article, these are screenshots on TP5 preview and there may be changes to come to the interface and possibilities presented here.</p>
<p>The idea is however very clear and I like that this will help a lot of SCOM admins move into the tuning of alerts easier and quicker. Some people know how to do this using available reports both from the default reports or third party reports packs, but this new feature opens this up for more regular use by more SCOM admins.</p>
<p>One more remark here: I tried to fool around with another monitor to force it to give lots of alerts and what happens? Another monitor causes alerts and the one I set to very low thresholds never even fired an alert. ha ha ha ha ha ha. <img src="http://www.bictt.com/blogs/rsc/smilies/icon_biggrin.gif" title="&amp;amp;#58;&amp;amp;#68;" alt="&amp;amp;#58;&amp;amp;#68;" class="middle" width="15" height="15" /> <img src="http://www.bictt.com/blogs/rsc/smilies/icon_biggrin.gif" title="&amp;amp;#58;&amp;amp;#68;" alt="&amp;amp;#58;&amp;amp;#68;" class="middle" width="15" height="15" /> <img src="http://www.bictt.com/blogs/rsc/smilies/icon_biggrin.gif" title="&amp;amp;#58;&amp;amp;#68;" alt="&amp;amp;#58;&amp;amp;#68;" class="middle" width="15" height="15" /></p>
<h4>Back to the <a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">SCOM 2016 Features - Overview</a> post!</h4>
<p>Happy tuning!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/04/30/scom-2016-features-management-pack-1">Original post</a>.</small></p></div>This blog post will introduce the new SCOM 2016 feature of Management Pack Tuning. It is meant to use alert data from SCOM to determine where tuning may be beneficial. The screenshots are based on the TP5 release of SCOM 2016 and could be changed in a few months as work continues to be done to several features of SCOM.

The way we often used to tune out alerts and management packs was by a few methods. The first method is to import the management packs and sit back and see the alerts flowing in and taking them on one at a time.
The second method was by using reporting:

The two Data Volume reports are actually very useful in going through which management packs cause the most data volume (number of performance counter entries collected, number of alerts, number of events….). And they have possibility to drill down into them as well to see which workflows are the busy ones. After this you could go into SCOM and find the rules and monitors and tune them to your liking.

There are also reports in the SCC Health Check Reports library created by Oskar Landman and Pete Zerger which we can use for this. It is called SCOM Health Check Reports V3 now and can be found in the Technet Gallery.

A new solution

Now in order to facilitate alert tuning for you the product team has worked on a custom solution to help you analyze the alerts and which machines cause the most of this and tune the workflows directly from there.

Starting SCOM 2016 TP5 Tech Preview you can now go into the SCOM Administration pane and in the Management Packs folder you will find “Tune Management Packs” now.

To the right hand side in the tasks pane you will find "Identify management packs to tune" where you can set a time range for analysis. Otherwise just wait 2 days and things will surface.

Now in the middle we see I currently have one management pack which may need tuning and it has given us 32 alerts in a limited amount of time. SO we press the "Tune Alerts" task now!

From here we can see which alert(s) came up during this period. To the right of what is in this screenshot there is also the name of the Rule or Monitor which caused this alert.

Now which possibilities do we have from here? If we right-click we get the following options:

The Copy function will give you the possibility to have a clear text cop of the selected fields so you can put them in a notepad or Excel sheet.

The Overrides option gives you the usual overrides options where you can override the monitor for all objects of this class or a group or single objects.
Of course we can directly open the properties for the monitor right from here.

ANd lastly there is the option to "View or overrides sources" which will open up a popup where you can see which instances of the targetted class (here Logical Disk) have caused the alerts.

From here we can tune the selected monitor for the specific objects which caused the alerts.

As I said at the start of the article, these are screenshots on TP5 preview and there may be changes to come to the interface and possibilities presented here.

The idea is however very clear and I like that this will help a lot of SCOM admins move into the tuning of alerts easier and quicker. Some people know how to do this using available reports both from the default reports or third party reports packs, but this new feature opens this up for more regular use by more SCOM admins.

One more remark here: I tried to fool around with another monitor to force it to give lots of alerts and what happens? Another monitor causes alerts and the one I set to very low thresholds never even fired an alert. ha ha ha ha ha ha.

]]>http://www.bictt.com/blogs/bictt.php/2016/04/30/scom-2016-features-management-pack-1#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=438Windows 2016 TP5 and System Center TP5 now availablehttp://www.bictt.com/blogs/bictt.php/2016/04/27/windows-2016-tp5-and-system
Wed, 27 Apr 2016 17:33:00 +0000Bob CornelissenSCOMDPMSystem CenterSCOM 2016Windows 2016437@http://www.bictt.com/blogs/<p>We waited for this for a while now. But Windows 2016 TP5 and System Center 2016 TP5 are now available for downloading. This is a screenshot from the MSDN downloads site:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/tp5.png" alt="" title="" /></p>
<p>Good luck playing with the new releases <img src="http://www.bictt.com/blogs/rsc/smilies/icon_cool.gif" title="&amp;amp;#66;&amp;amp;#41;" alt="&amp;amp;#66;&amp;amp;#41;" class="middle" width="15" height="15" /><br />
I have started with the SCOM 2016 TP5 myself of course <img src="http://www.bictt.com/blogs/rsc/smilies/graysmilewinkgrin.gif" title="&amp;amp;#59;&amp;amp;#68;" alt="&amp;amp;#59;&amp;amp;#68;" class="middle" width="15" height="15" /></p>
<p>Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/04/27/windows-2016-tp5-and-system">Original post</a>.</small></p></div>We waited for this for a while now. But Windows 2016 TP5 and System Center 2016 TP5 are now available for downloading. This is a screenshot from the MSDN downloads site:

Good luck playing with the new releases
I have started with the SCOM 2016 TP5 myself of course

]]>http://www.bictt.com/blogs/bictt.php/2016/04/27/windows-2016-tp5-and-system#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=437SCOM 2016 features - Management Pack Updates and Recommendationshttp://www.bictt.com/blogs/bictt.php/2016/04/27/scom-2016-features-management-pack
Wed, 27 Apr 2016 16:17:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2016436@http://www.bictt.com/blogs/<p>This blog post discussed one of the new features in SCOM 2016 which is the Management Pack Updates and Recommendations. Now this feature addition was introduced I think in SCOM 2016 TP4 preview version already, but I will discuss it now anyway.</p>
<p>All SCOM admins know that we can get management packs from either the Microsoft websites (and of course community and third party pages for their management packs), or we could use the Import Management Packs option and point it to the Catalog.</p>
<p>In there we have the options of looking for specific management packs, or to look for recently released management packs, or look for updates to already installed management packs.</p>
<p>Thing is that it was easy to forget to look for new management pack updates, and also it often happened that SCOM admins forgot to download management packs for new products they did install on servers in their environment (or new versions like a new SQL version).</p>
<h3>A new solution</h3>
<p>In SCOM 2016 we can see in the Administration pane an entry under Management Packs called Updates and Recommendations:<br />
<br />
<img src="http://www.bictt.com/blogs/media/blogs/BICTT/Mprec1.png" alt="" title="" /></p>
<p>From here we can select one management pack and download and install that management pack. There is also the possibility to do that with all of them. This will take you to the management pack download interface we were used to already.</p>
<p>As you can see from above screenshot there are a few management packs where we get an update recommendation, and two management packs this solution found to be missing if you thought you were already monitoring all roles.</p>
<p>What happens really is that this is a mini management pack which runs on all your agents and has very basic discoveries in it. It runs a discovery to see if you have for instance IIS or SQL installed or a number of other roles. These are looking for Microsoft management packs and not custom ones. When it finds certain software/roles installed this feature will check if you have the applicable management pack installed. There will be more discoveries added over time for additional software/features/roles over time.<br />
Also of course there is a pack version comparison done with the catalog to check if you have the latest version of already installed management packs.</p>
<p>Another interesting addition to the tasks pane in that view above is the possibility to go to the management pack guide. This option will take you right to the download of the management pack guide in a web browser.</p>
<p>The second option there is to go to the DLC page. This is the Microsoft download center page where you can find the description of the management pack, its downloads and guides, and installation instructions. Not all management packs have this link enabled, but a lot of them will have.<br />
The last task is called More Information. Now this is also a nice one. It will open a popup and show you which agents are running a workload relating to this management pack recommendation.<br />
<br />
<img src="http://www.bictt.com/blogs/media/blogs/BICTT/Mprec2.png" alt="" title="" /></p>
<p>In this case it is my freshly installed SCOM TP5 machine needing the SQL 2014 management pack.<br />
This is going to help us manage our management packs and check for updates to currently loaded management packs and also to check for forgotten management packs to get as much monitoring coverage as we can.</p>
<h4>Back to the <a href="http://www.bictt.com/blogs/bictt.php/2016/05/07/scom-2016-features-overview">SCOM 2016 Features - Overview</a> post!</h4>
<p>Good luck monitoring!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/04/27/scom-2016-features-management-pack">Original post</a>.</small></p></div>This blog post discussed one of the new features in SCOM 2016 which is the Management Pack Updates and Recommendations. Now this feature addition was introduced I think in SCOM 2016 TP4 preview version already, but I will discuss it now anyway.

All SCOM admins know that we can get management packs from either the Microsoft websites (and of course community and third party pages for their management packs), or we could use the Import Management Packs option and point it to the Catalog.

In there we have the options of looking for specific management packs, or to look for recently released management packs, or look for updates to already installed management packs.

Thing is that it was easy to forget to look for new management pack updates, and also it often happened that SCOM admins forgot to download management packs for new products they did install on servers in their environment (or new versions like a new SQL version).

A new solution

In SCOM 2016 we can see in the Administration pane an entry under Management Packs called Updates and Recommendations:

From here we can select one management pack and download and install that management pack. There is also the possibility to do that with all of them. This will take you to the management pack download interface we were used to already.

As you can see from above screenshot there are a few management packs where we get an update recommendation, and two management packs this solution found to be missing if you thought you were already monitoring all roles.

What happens really is that this is a mini management pack which runs on all your agents and has very basic discoveries in it. It runs a discovery to see if you have for instance IIS or SQL installed or a number of other roles. These are looking for Microsoft management packs and not custom ones. When it finds certain software/roles installed this feature will check if you have the applicable management pack installed. There will be more discoveries added over time for additional software/features/roles over time.
Also of course there is a pack version comparison done with the catalog to check if you have the latest version of already installed management packs.

Another interesting addition to the tasks pane in that view above is the possibility to go to the management pack guide. This option will take you right to the download of the management pack guide in a web browser.

The second option there is to go to the DLC page. This is the Microsoft download center page where you can find the description of the management pack, its downloads and guides, and installation instructions. Not all management packs have this link enabled, but a lot of them will have.
The last task is called More Information. Now this is also a nice one. It will open a popup and show you which agents are running a workload relating to this management pack recommendation.

In this case it is my freshly installed SCOM TP5 machine needing the SQL 2014 management pack.
This is going to help us manage our management packs and check for updates to currently loaded management packs and also to check for forgotten management packs to get as much monitoring coverage as we can.

]]>http://www.bictt.com/blogs/bictt.php/2016/04/27/scom-2016-features-management-pack#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=436Activating a de-activated Evaluation SCOM 2012 instancehttp://www.bictt.com/blogs/bictt.php/2016/04/25/activating-a-de-activated-scom
Mon, 25 Apr 2016 20:58:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2012435@http://www.bictt.com/blogs/<p>Came along a SCOM 2012 R2 instance which was expired. The license key was not entered on time, so SCOM did not work anymore and the SDK refused connection. Look in the event log and you will see that your evaluation version has expired and you need to enter your key. The thing is that you connect to SCOM through the Shell to activate it and it refuses connection at that point.</p>
<p>The trick is to restart the SDK service and quickly enter the production key.</p>
<p>Just open a normal PowerShell in administrator mode on the SCOM server and throw these three commands in there:</p>
<p><strong>restart-service -name omsdk<br />
import-module operationsmanager<br />
set-scomlicense -productid XYZXX-XYZXX-XYZXX-XYZXX-XYZXX -confirm:$false</strong></p>
<p>Of course use the real product key in there where the X's are!</p>
<p>Have fun and good luck!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/04/25/activating-a-de-activated-scom">Original post</a>.</small></p></div>Came along a SCOM 2012 R2 instance which was expired. The license key was not entered on time, so SCOM did not work anymore and the SDK refused connection. Look in the event log and you will see that your evaluation version has expired and you need to enter your key. The thing is that you connect to SCOM through the Shell to activate it and it refuses connection at that point.

The trick is to restart the SDK service and quickly enter the production key.

Just open a normal PowerShell in administrator mode on the SCOM server and throw these three commands in there:

]]>http://www.bictt.com/blogs/bictt.php/2016/04/25/activating-a-de-activated-scom#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=435How to monitor e-mail data sources with SCOM and Orchestratorhttp://www.bictt.com/blogs/bictt.php/2016/03/30/how-to-monitor-e-mail
Wed, 30 Mar 2016 17:33:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2012SCORCH 2012434@http://www.bictt.com/blogs/<p>While chatting with some MVP friends of mine about a specific scenario where data from e-mails needed to be read and monitored, there are multiple possibilities to do it. I proposed one possibility which I implemented at a customer a while ago and got asked to blog about the solution, so here it is. Because SCOM is not built to natively read from a mailbox, one has to come up with a workaround, and in my case I used System Center Orchestrator to do part of the job.</p>
<p><strong>Challenge:</strong></p>
<p>Following is the situation. A number of servers monitored by another company and using another monitoring product. That product monitors servers from several customers of theirs, so we can not directly access it. We could not access or query the product directly either through scripts or commands or database queries. So in the end the result was that the other company would send e-mails from their several monitoring systems to one of our mailboxes. Resulting in 3 e-mails every 15 minutes. The e-mails contained an XML formatted body containing a list of servers and their state.</p>
<ol><li>So, we have to read 3 e-mails from a mailbox every 15 minutes. Pull out the body of the e-mails. Next merge the content to make it 1 XML file placed on a server with a SCOM agent on it. These steps are not native to SCOM, but a combination or Orchestrator and PowerShell</li>
<li>After that we can use one of several methods to monitor a text based file on a server to create the monitoring part. For this we can use SCOM.</li></ol>
<p>SO let us start with the first part</p>
<p><strong>Using Orchestrator to get our e-mails into an XML file</strong></p>
<p>I bet there are also other methods of doing this, but this was the method I selected and due to Orchestrator having some flexibility and some built-in actions in the intelligence packs this is very versatile.</p>
<p>Let us check out the email for a second:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/XMLEmail.png" width="680" alt="" title="" /></p>
<p>We see the XML body there. In this case there are two servers mentioned in the email, however with longer names than how we know them so we need to play around with that too. Also with XML there is a header (first line) and a wrapper (second line start and end of last line), with the two actual content lines in the middle of it. Notice there are carriage returns and also spaces and potential tabs in there, which make it &#8220;nice&#8221; to filter those out while pulling the XML apart and creating a new XML file from that!</p>
<p><strong>Ingredients needed:</strong></p>
<ul><li>A destination File share where the final XML file will be placed for being monitored.</li>
<li>A mailbox where those messages arrive and we can read them from</li>
<li>We created an automatic rule to place those e-mails in a specific named folder in the mailbox.</li>
<li>We created a second folder where we can move the already read messages to.</li>
<li>An account able to read in that mailbox.</li>
<li>Orchestrator to create a runbook and bring it all together.</li>
<li>An intelligence pack for Orchestrator which can read from a mailbox. I used the &#8220;SCORCH Dev - Exchange Email&#8221; IP for this which can be found at <a href="https://scorch.codeplex.com">https://scorch.codeplex.com</a>/ </li>
</ul>
<p>First import the Orchestrator IP needed to read the email and distribute it to the runbook servers as usual. Next start a fresh runbook and name it appropriately and place it in a folder where you can actually find it within Orchestrator. Advice is to use a clear folder structure within Orchestrator to place your runbooks in. This is not for the benefit of Orchestrator, but for yours!</p>
<p>Now we create the runbook. I will put the picture of the finished runbook here first before going through the activities:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Runbook1.png" alt="" title="" /></p>
<p>Let&#8217;s now cut up the pieces:</p>
<p><u>Monitor Date/Time</u></p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity1.png" alt="" title="" /></p>
<p>Well this one simply says to check every 15 minutes</p>
<p><u>Format Date/Time</u></p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity2.png" alt="" title="" /></p>
<p>This one takes the current time from the first activity and at the bottom there subtracts 15 minutes from it. The story behind this is that we want to read all emails which came in between now and 15 minutes ago. So this gives us that point in time.</p>
<p><u>Rename File</u></p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity3.png" alt="" title="" /></p>
<p>We wanted our monitored xml file to always have a fixed name. So when we are about to create a new version of that file we first go out to that file share and take the current XML file and rename it by adding a date-time format in the name to make it unique. We wanted to be able to look back in history here, else we would have chosen to just delete it. This makes the folder look like this:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity3b.png" alt="" title="" /></p>
<p><u>Read mail from folder</u></p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity4a.png" alt="" title="" /></p>
<p>Now this is a custom activity coming from the Exchange Email IP we imported earlier.<br />
From the top we see we have to define a configuration. We will get back to that in a second. Next you can see that we are looking for Unread emails in a certain folder (keep in mind folder name must be unique in that mailbox else it just takes the other one, which you did not want to). Now on the left hand side we see Filters:</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity4b.png" alt="" title="" /></p>
<p>We also want those emails to have a certain subject line. And we want those emails to be received after the time from the Format Date/Time activity above. Meaning the email was received after 15 minutes ago. So in the last 15 minutes.</p>
<p>Now to get back to the Configuration part. Many IP&#8217;s in Orchestrator have a place where you can centrally set some parameters. For instance a login account, a server connection, and so on. This can be found on the top menu bar of the Orchestrator Runbook Designer under the Options menu. Find the item with the same name as the IP you are trying to configure. In this case it needs us to setup a connection to an email server. Type is Exchange Server, type a username, password, domain, and a ServiceURL. For an exchange server this could be <a href="https://webmail.domain.com/EWS/Exchange.asmx">https://webmail.domain.com/EWS/Exchange.asmx</a> for example, but check this for your own environment.</p>
<p><u>Retry Read mail from folder</u></p>
<p>This one will only run if the first read mail from folder activity fails. You can set properties on those connecting arrows between the activities to make it go here it the first one fails. I made the line color red and set a delay on the line of 20 seconds. Else it will follow the other line and go to the script. This activity does exactly the same as the previous one. We had some time-outs during certain times so this extra loop slipped in there.</p>
<p>So those Read mail from folder activities should contain 3 e-mails received in the last 15 minutes from that folder, unread, with a subject line, and Orchestrator now knows what the body of those emails contains. This also means that the next activity (the script) will run three times.</p>
<p><u>Run .net script</u></p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity5a.png" alt="" title="" /></p>
<p>At the top we define this to be a PowerShell script. So first we pull in the variable, which is the body of the email from the previous step. Next thing we do in the script is remove all excess stuff that we do not need. Empty spaces before and after several lines and entries. Also we will take out those headers and surrounding entries. We can add them ourselves to a clean file, right? SO this should give us a new string which only contains the XML entries for those servers with their state.</p>
<p>Next thing we needed to do is build in some tricks into this script. We know it is going to run three times and we need to stitch the contents together into one file.</p>
<p><u>Line of thought:</u></p>
<p>If there is no xml file there to write to this means this is the first time we run the script after the old file got renamed. So we need to create the xml file right now and add the headers to it. Next we add the body to it (server names with state).</p>
<p>If there is a file there with the correct name it means we are either in the second or third run. So what we do is simply write down the body (servers and state) and add the trailing end tag to it. This can be done on the second and third run. However, if this happens to be the third run, we will first check if that trailing tag is there and remove it. And next dump the body again and add the end tag.</p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity5b.png" width="680" border="1" alt="" title="" /></p>
<p>So that part takes care of dumping the contents into the file following the above thought process (with the first thought coming at the end as the Else statement). Sorry for the Dutch comments, but you get the idea.</p>
<p><u>Move mail</u></p>
<p><img src="http://www.bictt.com/blogs/media/blogs/BICTT/30mar16/Activity6.png" alt="" title="" /></p>
<p>Next we take the e-mails found by the Read mail from folder activity and move them to the other folder in the mailbox.</p>
<p>So, that is the whole runbook to get a few emails and merge them together so we can monitor the thing!<br />
There is a separate runbook which cleans old files from that file share and which cleans old emails from that folder in the mailbox by the way. At least we can look a few days back what happened.</p>
<p><strong>The monitoring part in SCOM</strong></p>
<p>Now I am not going into all the details of this part. I had a reason to not link these entries directly to the monitored servers, or to write the xml file to those servers. I opted to create a watcher node (and its discovery from a registry entry on that machine). That watcher node is the server with that file share and the xml file on it.</p>
<p>Next I created watchers in a class, and discovered them through registry as well. Containing the names of the servers we wanted to check for in the XML.</p>
<p>For each watcher it runs a PowerShell monitor which goes into the XML file and finds its corresponding entry (server name). Next it picks up the State (which is a number) and we translate the 12 possible numbers into green/yellow/red type entries and place them into the property bag. That gets evaluated into the three states we know so well.</p>
<p>Next we could throw those watcher entries for each server and also some other entries onto a dashboard. We could see the state the other party saw from their monitoring system and the state we see from SCOM side on one dashboard for those servers and monitored entries. We have the hardware/OS layer with a few extras, and they have an OS layer and application layers which we could not pick up.</p>
<p><strong>Conclusion</strong></p>
<p>As you can see sometimes we run into situations where there is no other way to get monitoring data than through workarounds and the long way. This is not ideal. As you can understand there is dependencies left and right for this whole chain to work. If there is no other way then that is the way it has to be. Direct monitoring or direct connecting is preferred.<br />
But this shows how you can get monitoring data from e-mails into SCOM, in this case through the use of Orchestrator and watchers because that was what we needed.</p>
<p>Shout-out to amongst others Cameron Fuller for making me write this post!<br />
Happy monitoring!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/03/30/how-to-monitor-e-mail">Original post</a>.</small></p></div>While chatting with some MVP friends of mine about a specific scenario where data from e-mails needed to be read and monitored, there are multiple possibilities to do it. I proposed one possibility which I implemented at a customer a while ago and got asked to blog about the solution, so here it is. Because SCOM is not built to natively read from a mailbox, one has to come up with a workaround, and in my case I used System Center Orchestrator to do part of the job.

Challenge:

Following is the situation. A number of servers monitored by another company and using another monitoring product. That product monitors servers from several customers of theirs, so we can not directly access it. We could not access or query the product directly either through scripts or commands or database queries. So in the end the result was that the other company would send e-mails from their several monitoring systems to one of our mailboxes. Resulting in 3 e-mails every 15 minutes. The e-mails contained an XML formatted body containing a list of servers and their state.

So, we have to read 3 e-mails from a mailbox every 15 minutes. Pull out the body of the e-mails. Next merge the content to make it 1 XML file placed on a server with a SCOM agent on it. These steps are not native to SCOM, but a combination or Orchestrator and PowerShell

After that we can use one of several methods to monitor a text based file on a server to create the monitoring part. For this we can use SCOM.

SO let us start with the first part

Using Orchestrator to get our e-mails into an XML file

I bet there are also other methods of doing this, but this was the method I selected and due to Orchestrator having some flexibility and some built-in actions in the intelligence packs this is very versatile.

Let us check out the email for a second:

We see the XML body there. In this case there are two servers mentioned in the email, however with longer names than how we know them so we need to play around with that too. Also with XML there is a header (first line) and a wrapper (second line start and end of last line), with the two actual content lines in the middle of it. Notice there are carriage returns and also spaces and potential tabs in there, which make it “nice” to filter those out while pulling the XML apart and creating a new XML file from that!

Ingredients needed:

A destination File share where the final XML file will be placed for being monitored.

A mailbox where those messages arrive and we can read them from

We created an automatic rule to place those e-mails in a specific named folder in the mailbox.

We created a second folder where we can move the already read messages to.

An account able to read in that mailbox.

Orchestrator to create a runbook and bring it all together.

An intelligence pack for Orchestrator which can read from a mailbox. I used the “SCORCH Dev - Exchange Email” IP for this which can be found at https://scorch.codeplex.com/

First import the Orchestrator IP needed to read the email and distribute it to the runbook servers as usual. Next start a fresh runbook and name it appropriately and place it in a folder where you can actually find it within Orchestrator. Advice is to use a clear folder structure within Orchestrator to place your runbooks in. This is not for the benefit of Orchestrator, but for yours!

Now we create the runbook. I will put the picture of the finished runbook here first before going through the activities:

Let’s now cut up the pieces:

Monitor Date/Time

Well this one simply says to check every 15 minutes

Format Date/Time

This one takes the current time from the first activity and at the bottom there subtracts 15 minutes from it. The story behind this is that we want to read all emails which came in between now and 15 minutes ago. So this gives us that point in time.

Rename File

We wanted our monitored xml file to always have a fixed name. So when we are about to create a new version of that file we first go out to that file share and take the current XML file and rename it by adding a date-time format in the name to make it unique. We wanted to be able to look back in history here, else we would have chosen to just delete it. This makes the folder look like this:

Read mail from folder

Now this is a custom activity coming from the Exchange Email IP we imported earlier.
From the top we see we have to define a configuration. We will get back to that in a second. Next you can see that we are looking for Unread emails in a certain folder (keep in mind folder name must be unique in that mailbox else it just takes the other one, which you did not want to). Now on the left hand side we see Filters:

We also want those emails to have a certain subject line. And we want those emails to be received after the time from the Format Date/Time activity above. Meaning the email was received after 15 minutes ago. So in the last 15 minutes.

Now to get back to the Configuration part. Many IP’s in Orchestrator have a place where you can centrally set some parameters. For instance a login account, a server connection, and so on. This can be found on the top menu bar of the Orchestrator Runbook Designer under the Options menu. Find the item with the same name as the IP you are trying to configure. In this case it needs us to setup a connection to an email server. Type is Exchange Server, type a username, password, domain, and a ServiceURL. For an exchange server this could be https://webmail.domain.com/EWS/Exchange.asmx for example, but check this for your own environment.

Retry Read mail from folder

This one will only run if the first read mail from folder activity fails. You can set properties on those connecting arrows between the activities to make it go here it the first one fails. I made the line color red and set a delay on the line of 20 seconds. Else it will follow the other line and go to the script. This activity does exactly the same as the previous one. We had some time-outs during certain times so this extra loop slipped in there.

So those Read mail from folder activities should contain 3 e-mails received in the last 15 minutes from that folder, unread, with a subject line, and Orchestrator now knows what the body of those emails contains. This also means that the next activity (the script) will run three times.

Run .net script

At the top we define this to be a PowerShell script. So first we pull in the variable, which is the body of the email from the previous step. Next thing we do in the script is remove all excess stuff that we do not need. Empty spaces before and after several lines and entries. Also we will take out those headers and surrounding entries. We can add them ourselves to a clean file, right? SO this should give us a new string which only contains the XML entries for those servers with their state.

Next thing we needed to do is build in some tricks into this script. We know it is going to run three times and we need to stitch the contents together into one file.

Line of thought:

If there is no xml file there to write to this means this is the first time we run the script after the old file got renamed. So we need to create the xml file right now and add the headers to it. Next we add the body to it (server names with state).

If there is a file there with the correct name it means we are either in the second or third run. So what we do is simply write down the body (servers and state) and add the trailing end tag to it. This can be done on the second and third run. However, if this happens to be the third run, we will first check if that trailing tag is there and remove it. And next dump the body again and add the end tag.

So that part takes care of dumping the contents into the file following the above thought process (with the first thought coming at the end as the Else statement). Sorry for the Dutch comments, but you get the idea.

Move mail

Next we take the e-mails found by the Read mail from folder activity and move them to the other folder in the mailbox.

So, that is the whole runbook to get a few emails and merge them together so we can monitor the thing!
There is a separate runbook which cleans old files from that file share and which cleans old emails from that folder in the mailbox by the way. At least we can look a few days back what happened.

The monitoring part in SCOM

Now I am not going into all the details of this part. I had a reason to not link these entries directly to the monitored servers, or to write the xml file to those servers. I opted to create a watcher node (and its discovery from a registry entry on that machine). That watcher node is the server with that file share and the xml file on it.

Next I created watchers in a class, and discovered them through registry as well. Containing the names of the servers we wanted to check for in the XML.

For each watcher it runs a PowerShell monitor which goes into the XML file and finds its corresponding entry (server name). Next it picks up the State (which is a number) and we translate the 12 possible numbers into green/yellow/red type entries and place them into the property bag. That gets evaluated into the three states we know so well.

Next we could throw those watcher entries for each server and also some other entries onto a dashboard. We could see the state the other party saw from their monitoring system and the state we see from SCOM side on one dashboard for those servers and monitored entries. We have the hardware/OS layer with a few extras, and they have an OS layer and application layers which we could not pick up.

Conclusion

As you can see sometimes we run into situations where there is no other way to get monitoring data than through workarounds and the long way. This is not ideal. As you can understand there is dependencies left and right for this whole chain to work. If there is no other way then that is the way it has to be. Direct monitoring or direct connecting is preferred.
But this shows how you can get monitoring data from e-mails into SCOM, in this case through the use of Orchestrator and watchers because that was what we needed.

]]>http://www.bictt.com/blogs/bictt.php/2016/03/30/how-to-monitor-e-mail#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=434Hold off on the SCOM Base OS pack version 6.0.7303.0http://www.bictt.com/blogs/bictt.php/2016/03/04/hold-off-on-the-scom
Fri, 04 Mar 2016 12:23:00 +0000Bob CornelissenSCOMSystem CenterSCOM 2012Windows 2012433@http://www.bictt.com/blogs/<p>About a bit ago the Base OS pack has been updated again to a version 6.0.7303.0<br />
It is not advised to upgrade your SCOM packs to this version yet, because it has some bugs in it.</p>
<p>Kevin Holman writes about it here:<br />
<a href="http://blogs.technet.com/b/kevinholman/archive/2016/02/24/base-os-mp-s-have-been-updated-version-6-0-7303-0.aspx">http://blogs.technet.com/b/kevinholman/archive/2016/02/24/base-os-mp-s-have-been-updated-version-6-0-7303-0.aspx</a></p>
<p>So would hold off until a newer version comes out (hopefully soon) and please check it in your test environment before you let it hit production. A lot of other packs have references to Base-OS packs so it is hard to remove it when something goes wrong.</p>
<p>Good luck!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/03/04/hold-off-on-the-scom">Original post</a>.</small></p></div>About a bit ago the Base OS pack has been updated again to a version 6.0.7303.0
It is not advised to upgrade your SCOM packs to this version yet, because it has some bugs in it.

So would hold off until a newer version comes out (hopefully soon) and please check it in your test environment before you let it hit production. A lot of other packs have references to Base-OS packs so it is hard to remove it when something goes wrong.

]]>http://www.bictt.com/blogs/bictt.php/2016/03/04/hold-off-on-the-scom#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=433System Center DPM 2012 R2 UR9http://www.bictt.com/blogs/bictt.php/2016/02/26/system-center-dpm-2012-r2
Fri, 26 Feb 2016 11:44:00 +0000Bob CornelissenDPMSystem Center432@http://www.bictt.com/blogs/<p>If you are running DPM 2012 R2 you will want to look at the UR9 update rollup which was released a month ago. They are classing it now as an important update. Includes a whole list of improvements.</p>
<p>Check out the blog post from the DPM team here for more information:<br />
<a href="https://blogs.technet.microsoft.com/dpm/2016/02/25/backup-of-enterprise-data-made-easier-with-system-center-data-protection-manager/">https://blogs.technet.microsoft.com/dpm/2016/02/25/backup-of-enterprise-data-made-easier-with-system-center-data-protection-manager/</a></p>
<p>Have fun backing up your stuff!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/02/26/system-center-dpm-2012-r2">Original post</a>.</small></p></div>If you are running DPM 2012 R2 you will want to look at the UR9 update rollup which was released a month ago. They are classing it now as an important update. Includes a whole list of improvements.

]]>http://www.bictt.com/blogs/bictt.php/2016/02/26/system-center-dpm-2012-r2#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=432Bridgeways releases newer version of VMWare MP for SCOMhttp://www.bictt.com/blogs/bictt.php/2016/02/08/bridgeways-releases-newer-version-of
Mon, 08 Feb 2016 19:13:00 +0000Bob CornelissenSCOMSystem CenterSCOM TricksSCOM 2012431@http://www.bictt.com/blogs/<p>Bridgeways has been working very hard this last year in coming back into their speed for creating management packs, updating existing ones, making them more intuitive and useful to work with, adding support staff and also hiring a very competent CTO (a good friend of mine and fellow MVP Simon Skinner <img src="http://www.bictt.com/blogs/rsc/smilies/icon_razz.gif" title="&amp;amp;#58;&amp;amp;#112;" alt="&amp;amp;#58;&amp;amp;#112;" class="middle" width="15" height="15" /> ) who takes management pack quality very seriously. It is exciting to see the progress being made.</p>
<p>Today the new version of their VMWare monitoring management pack was released. It contains updated views and dashboards. The new style dashboards also were augmented with a few core dashboards:</p>
<ul>
<li>Host Performance: includes CPU Usage, Memory Usage, Swamp Memory Usage, Balloon Usage, Network Usage and Storage Usage data.</li>
<li>CPU Performance: includes CPU Usage, Average CPU System Time, Average CPU Ready and CPU Wait data.</li>
<li>Memory Performance: includes Active Memory, Balloon Memory, Shared Memory and Swapped Memory data.</li>
</ul>
<p>Also there is an expanded set of reports. The combination gives better and quicker insights into the VMWare environment in order to troubleshoot issues and to proactively find upcoming issues.</p>
<p>Now as some of you probably know I have always been a big fan of a competing vendors management pack for VMWare (Veeam) and I still am. However it is good that a few other vendors have been looking seriously at creating a good management pack which can cover this monitoring scenario. I know a few have been working on this and are becoming serious contenders when it comes to product selection for this purpose. The Bridgeways pack will be one of them now in every selection process. Especially when there is a price difference to be found between solutions our customers (and you) will be looking at price/quality points and if it covers that what you are initially looking for. I know all my customers always look at price very closely and I do not think its a pure Dutch thing to do that.<br />
I will be examining functionality and pro's and con's of these packs closely in the future.</p>
<p>So for now congratulations to Bridgeways for taking the step forward and we are watching you closely <img src="http://www.bictt.com/blogs/rsc/smilies/icon_cool.gif" title="&amp;amp;#66;&amp;amp;#41;" alt="&amp;amp;#66;&amp;amp;#41;" class="middle" width="15" height="15" /></p>
<p>For any questions regarding this article or any management packs feel free to contact me.<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/02/08/bridgeways-releases-newer-version-of">Original post</a>.</small></p></div>Bridgeways has been working very hard this last year in coming back into their speed for creating management packs, updating existing ones, making them more intuitive and useful to work with, adding support staff and also hiring a very competent CTO (a good friend of mine and fellow MVP Simon Skinner ) who takes management pack quality very seriously. It is exciting to see the progress being made.

Today the new version of their VMWare monitoring management pack was released. It contains updated views and dashboards. The new style dashboards also were augmented with a few core dashboards:

Also there is an expanded set of reports. The combination gives better and quicker insights into the VMWare environment in order to troubleshoot issues and to proactively find upcoming issues.

Now as some of you probably know I have always been a big fan of a competing vendors management pack for VMWare (Veeam) and I still am. However it is good that a few other vendors have been looking seriously at creating a good management pack which can cover this monitoring scenario. I know a few have been working on this and are becoming serious contenders when it comes to product selection for this purpose. The Bridgeways pack will be one of them now in every selection process. Especially when there is a price difference to be found between solutions our customers (and you) will be looking at price/quality points and if it covers that what you are initially looking for. I know all my customers always look at price very closely and I do not think its a pure Dutch thing to do that.
I will be examining functionality and pro's and con's of these packs closely in the future.

So for now congratulations to Bridgeways for taking the step forward and we are watching you closely

For any questions regarding this article or any management packs feel free to contact me.
Bob Cornelissen

]]>http://www.bictt.com/blogs/bictt.php/2016/02/08/bridgeways-releases-newer-version-of#commentshttp://www.bictt.com/blogs/bictt.php?tempskin=_rss2&disp=comments&p=431UR9 for System Center 2012 R2 availablehttp://www.bictt.com/blogs/bictt.php/2016/01/28/ur9-for-system-center-2012
Thu, 28 Jan 2016 07:54:00 +0000Bob CornelissenDPMSCVMMService ManagerSystem CenterSCOM 2012SCORCH 2012430@http://www.bictt.com/blogs/<p>We noticed the release of UR9 for Service Manager a day before and WSUS also already had the SCOM agent updates, but today the KB article is released giving the overview of the UR9 for System Center 2012 R2 products.</p>
<p><a href="https://support.microsoft.com/en-us/kb/3129757#/en-us/kb/3129757">The KB article for System Center</a></p>
<p>The products receiving the update are:</p>
<ul>
<li><a href="https://support.microsoft.com/en-us/kb/3112306">DPM 2012 R2 UR9</a> Data Protection Manager</li>
<li><a href="https://support.microsoft.com/en-us/kb/3129774">SCOM 2012 R2 UR9</a> Operations Manager</li>
<li><a href="https://support.microsoft.com/en-us/kb/3129780">SCSM 2012 R2 UR9</a> Service Manager</li>
<li><a href="https://support.microsoft.com/en-us/kb/3133705">SPF Service Provider Foundation</a></li>
<li><a href="https://support.microsoft.com/en-us/kb/3129784">VMM 2012 R2 UR9</a> Virtual Machine Manager</li>
<li><a href="https://support.microsoft.com/en-us/kb/3129786">WAP Windows Azure Pack</a></li>
</ul>
<p>Do not forget to test first and to read the KB articles of whatever you are upgrading.<br />
Have fun!<br />
Bob Cornelissen</p><div class="item_footer"><p><small><a href="http://www.bictt.com/blogs/bictt.php/2016/01/28/ur9-for-system-center-2012">Original post</a>.</small></p></div>We noticed the release of UR9 for Service Manager a day before and WSUS also already had the SCOM agent updates, but today the KB article is released giving the overview of the UR9 for System Center 2012 R2 products.